Indicators of Compromise (IoC), refers to data evidence that identifies possible cyber attack vectors on a system or network. IoC is used by information security professionals and forensic security analysts to detect suspicious activity, data breaches and malware attacks. They can also provide valuable information about the extent and nature of the compromise, or be used as case studies to help protect the organization against future attacks.
Common Indicators for Compromise
Security risk assessment and investigation are essential for organizations. Here are some key IoCs security and network professionals need to be aware of.
Unusual levels inbound and outbound traffic

Unusual network traffic levels could indicate a possible network security breach. Network administrators need to be vigilant about outbound traffic patterns. It is easier to monitor outbound traffic within the network and take immediate action.
Substantial increase in database readings

Hackers and attackers are attracted to databases within organizations. SQL injection and direct access with administrator credentials can be used to attack database systems. A database dump will indicate an increase in read volume in either case.
Traffic from unusual locations increases

Unexpectedly high traffic levels from locations other than the organization’s operations. Network logs that show account logins from different IPs within a brief time span will also be an indicator of compromise.
Authentication Failures

An attacker may attempt to hack the network by using phishing or automated attacks. An increase in authentication attempts will indicate stolen credentials, and a potential threat to the network.
Changes in Network/System Configuration

An attacker may try to alter the network, security or device configurations in order to gain network access. This is a sign of compromise because the changes could expose vulnerabilities or open a backdoor for hackers to access the system.
How do you identify indicators of compromise?
Professionals who are trained to analyze large amounts of network traffic and identify suspicious activity in order to identify threats within organizations are qualified to perform threat identification. Experts can identify IoCs in three main areas.
Registry Key Changes

Malware can modify or add registry keys to a system in order to gain control. It is important to monitor registry changes, as they can lead to an IoC.
Names and IDs of Process Parties

Administrators of the system should be aware that there are many applications. It is important that the organization has strict rules about who can install and execute applications. It can lead to an IoC if there are multiple instances or completely unrelated applications in the system.
Bad URLs and IP addresses

URLs can be altered by attackers to look identical to the original URL. Security teams should be cautious about connections to unknown IP addresses. Hackers can gain access to the network by using IP spoofing and bots that trigger DDoS attacks.
These are just a few of the indicators organizations should be aware of to detect potential threats.
Emails with malicious attachments from unknown sources

Abnormal activities in the Privileged User Activity

HTML response sizes

Multiple requests for the exact same file

Changes to registry or system files

Unexpected DNS changes

Distributed-Denial-of-Service (DDoS) attacks

Security rating changes

Indicators for Compromise vs. Indidicators for Attack
If there is a compromise to the network or system, it is important for the business that they answer the question: Is the attack still active or have they identified and managed it?
IoC is concerned with attacks that have already taken place in the network or system. It determines the extent and amount of data that was compromised. After being made aware of suspicious network activity, security professionals collect the IoC data. It allows security professionals to create a solid, intelligent system that detects threats.
Indicators of Attack (IoA), which aims to identify the attack in real time, is called Indicators of Attack. IoA is a method that identifies the attacker’s motives regardless of the tools used during an attack. It also aims to stop the attack from causing damage to infrastructure.
To improve detection and response, use indicators of compromise
Businesses can monitor IoCs to reduce the risk posed by malware or attackers. It allows security and network teams to be proactive for different types cybersecurity threats, rather than being defensive. It is a good practice to keep track of the audit trails and attack logs to help you detect and solve security threats. It is easier for organizations to investigate cyber attacks if they are more detailed.