Paubox blog: HIPAA compliant email made easy

What are indicators of compromise?

Written by Kapua Iao | June 28, 2022

Why it is critical for healthcare to monitor for IOCs

Indicators of compromise (IOCs) are significant in data breach detection, response, and cybersecurity. Monitoring for IOCs is essential for critical infrastructure like healthcare tasked with safeguarding protected health information (PHI).

IOCs let you know if there was malicious activity on your computer or your network. Malicious activity can be anything from illegal access like a data breach to malware and ransomware. Monitoring for compromise indicators allows organizations to identify and block unauthorized access quickly. And on a macro level, IOCs can provide insightful information to keep threat actors from employing their tactics widely.

Please find out more about it in this blog.

SEE ALSO HIPAA compliant email

 

Indicators of compromise – sounds ominous but is the complete opposite

According to several tech websites (such as  TechTarget ), IOCs are pieces of forensic data that warn of a possible compromise. As a result, they act like breadcrumbs that point the way to potential cyberattacks.

Once a breadcrumb is recognized, whoever is monitoring a system knows to dig for further information. And IOCs establish what went wrong after a cyberattack and how an organization can avoid future exploits.

 

What is the difference between an IOC and an IOA?

A similar term that some confuse with IOCs is indicators of attack (IOAs). While IOCs ask, “What happened?” IOAs ask the question, “What is happening and why?” In other words, IOAs focus on the intent of the cyberattacker while an attack is occurring. IOCs are reactive and static, while IOAs are proactive and dynamic.

The purpose of IOCs is to improve monitoring activities to appropriately detect, communicate, and quarantine or remove the malicious activity. They not only provide organization-wide protection but can be utilized between organizations and/or industries worldwide. IOCs, like IOAs, are vital bits of data that indicate the presence of malicious activity. But they can also reveal what cyber protection may be needed.

Consequently, documenting through a community can improve incident response times and cybersecurity in general. In addition, the better protected organizations are, the less likely a threat actor will succeed.

 

What do Indicators of Compromise look like?

There are several  common examples  of IOCs:
  • Unusual outbound network traffic
  • Geographical irregularities
  • Anomalies in privileged user account activity
  • Login anomalies
  • Increases in database read volume
  • Unusual DNS requests
  • Increased requests for the same file
  • HTML response sizes
  • Mismatched port-application traffic
  • Suspicious registry or system file changes
  • Unexpected patching of systems
  • Mobile device profile changes
  • Bundles of data in the wrong place
  • Web traffic with nonhuman behavior
  • Signs of DDoS activity

 

The idea is that this behavior points to unfamiliar or unwarranted activity. And it is more than likely that the next step is a thorough investigation.

 

Detecting Indicators of Compromise

IOCs can be simple, easily retrievable metadata or complex code; they are not always easy to detect. They may be indicators of a single malicious event or several. Or a few IOCs may connect and point to a more significant threat, possibly even within numerous organizations or countries.

RELATED Indicators of compromise associated with AvosLocker Ransomware

Detection can be done by periodically searching (i.e., threat hunting) or monitoring a system for any of the above examples. It can also happen if someone inadvertently comes across an unfamiliar file. Organizations typically hire trained IT professionals to identify IOCs though they may also rely on software such as  Loki.

But by and large, organizations want IT professionals that utilize advanced technology to scan, analyze, and isolate suspicious activity.

 

Mitigating cyberattacks with IOCs

The irregular data found (i.e., the IOCs) are evidence of an attacker’s tactics, techniques, procedures, or breach tools. Additionally, they point to the possible breach, virus, or malware. The objective is to analyze the breadcrumbs as single or related incidents to identify a single threat or a pattern. So, for example, we can look at a phishing campaign, which goes after the weakest link of any organization: the employees.

RELATED Human error is inevitable – robust email security is a must

Investigators would want to look for IOCs in the email system. Such IOCs may include suspicious email or IP addresses and problematic domains. Furthermore, attached malware may even have left its own indicators. By finding the related IOCs, cybersecurity can keep an inbox safe before phishing causes a serious issue. Unfortunately,  zero-day attacks  remain elusive because they happen so quickly. Moreover, it is hard to find indicators. So, while IOCs help prepare an organization for the future, there is still more to explore about the topic.

 

Share IOCs and collaborate for safer systems

IOCs are most helpful when shared so that countless individuals and organizations can access them. This is why standardized forms and accessible and shareable databases are beneficial. In fact, there are a few free cyber threat information (CTI) standards organizations, such as  STIX  (Structured Threat Information Expression). STIX creates a unified language for recording threat information and importing it into software solutions.

Similarly, some platforms facilitate the sharing of standardized CTIs, such as

  • TAXII (Trusted Automated Exchange of Intelligence Information)
  • MISP (Malware Information Sharing Platform)

 

Then there is also  OpenIOC , a simple framework that uses its standards and platform.

Finally, there are a few membership-based groups called ISACs, Information Sharing, and Analysis Centers.