Indicators of compromise: have you already been hacked?
Hackers end up leaving trails of what they have done behind, enabling us to tell if an attack has occurred. These trails are referred to as Indicators of Compromise. Here, we discuss what these indicators are and how to spot them.
Indicators of compromise: What are they?
Unlike other kinds of theft, cyber attacks can be hard to detect, and most enterprises don’t know that an attack occurred until it’s too late; leaving them open to damage that could have been avoided in the first place. If you aren’t aware that a hacker has gained access to your database, there is no way for you to limit the damage or take the necessary actions.
You need to recognize the IoC’s to pave the way for preventative measures and look for the presence of bugs that may have led to it or even implement newer security protocols.
The most common Indicators of Compromise
Here are a few of the most common indicators of compromise that should help me more than enough to alert you concerning a potential breach:
Suspicious database queries
Company databases are a frequent cyber target since they have valuable info of customers, company records and passwords. Users send queries or requests for access. An unusual spike or high volume of such requests could mean an IoC.
It is important to see if a DDoS operation has crashed a particular feature present on the site and resulted in minor disruptions. This attack could be a diversion tactic being used by attackers.
Attackers often try to cover up their real locations by routing their IP addresses, making it very hard for the authorities to track them. For instance, if your primary users are from Canada, there is an increase in traffic and requests users in Australia; it could be a visible indicator that an attack took place. You should keep track of where most of your traffic is coming from and be on the lookout for any anomalies.
Failed login attempts
Breaking into a network may involve multiple login attempts before hackers get through, and they might be using brute-force attacking software to achieve this goal. This software could be used to generate random passwords until it’s able to find a match. An upsurge in such failed attempts to get in could indicate that someone is trying to find their way into the company’s accounts.
Irregular admin activity
In case an attack is being launched against the server or website, the first target will be the admin accounts, since they serve as a gateway for the remaining user accounts. Admin accounts could be further exploited for multiple intrusions of varying nature.
It is imperative that robust monitoring in regards to the admin accounts is carried out for signs of any unusual activity. Soon as you can detect such an activity, you can revoke the admin access and prevent further damage.
It always pays to be vigilant and stay on the lookout and be wary of any indicators of compromise so that you can act fast and step up your security preemptively.