2.4.6 Indicators
Lockouts, impossible travel, missing logs.
Indicators of compromise (IoCs) are forensic artifacts or observable patterns that provide evidence an unauthorized intrusion or security breach has occurred on a system or network.
Account and Identity Indicators Unusual activity related to user authentication often serves as the first warning of an active exploit or brute-force attempt. - Account lockouts: A sudden spike in locked accounts typically indicates a brute-force or password spraying attack where a threat actor is attempting to guess credentials. - Impossible travel: This occurs when a user logs in from two geographically distant locations in a timeframe that is physically impossible to travel between (e.g., logging in from New York, then 10 minutes later from London). This suggests credential theft or session hijacking. - New account creation: Unauthorized creation of administrative or guest accounts is a common method for attackers to maintain persistence within a network.
Logging and Monitoring Discrepancies Attackers often attempt to hide their tracks by tampering with the evidence of their presence. - Missing logs: Large gaps in event logs or the complete absence of logs for specific periods suggest an intruder has manually deleted them or disabled the logging service to prevent traceability. - Log tampering: Subtle changes to log entries or the disabling of a local Event Viewer (Windows) or syslog service can indicate a compromised system. - Separation of duties: To prevent log tampering, organizations should ensure the administrator who manages systems does not also have the authority to delete or modify audit logs. This is an administrative control that ensures verifiability.
Operational and Environmental Indicators Changes in system behavior or resource consumption can reveal hidden malicious processes. - Increased outgoing traffic: A sudden surge in outbound data may indicate data exfiltration (an attacker stealing sensitive files) or a compromised host acting as a botnet node. - Resource exhaustion: Excessive CPU, memory, or disk usage can signal the presence of unauthorized background tasks, such as malware or cryptominers. - Permission changes: Frequent or strange modifications to file permissions or ownership often indicate a threat actor attempting privilege escalation.
Quick Recall - Indicator of Compromise (IoC): Physical or digital evidence of a successful or attempted attack. - Threat Intelligence: Information from vulnerability databases, journals, or the Dark Web used to predict and identify potential IoCs. - Manual Log Deletion: A major red flag for an internal or highly skilled external threat actor. - Audit Policy: The configuration that dictates what events are recorded; distinct from the logs themselves.