Key Indicators of Compromise After a Security Breach

Following a cybersecurity incident, security teams must rapidly identify and contain the threat to prevent further damage. This article provides a direct overview of the primary indicators of compromise (IoCs) that incident response and security operations teams look for during post-breach investigations, focusing on network anomalies, host-level changes, and suspicious user behavior.

Network-Based Indicators of Compromise

Network traffic often provides the first clues that a system has been compromised. Security teams analyze network logs to detect several key anomalies:

• Unusual Outbound Traffic: A sudden spike in outbound data transfer, especially to unfamiliar IP addresses or unauthorized cloud storage services, often indicates data exfiltration.
• Geographical Anomalies: Network connections originating from or traveling to countries where the organization does not conduct business are a major red flag.
• Mismatched Port-Application Traffic: Attackers frequently bypass firewalls by sending non-standard traffic over common ports, such as running command-and-control (C2) protocols over Port 80 (HTTP) or Port 443 (HTTPS).
• High Volume of DNS Requests: Attackers often use Domain Generation Algorithms (DGAs) to establish communication with C2 servers, resulting in a high volume of failed or unusual DNS requests.

Host and System-Based Indicators

Once inside a network, attackers interact with endpoint devices and servers. Security teams scan hosts for specific footprints left behind by malicious actors:

• Unexpected Registry or System File Changes: Alterations to critical system files or the Windows Registry are common tactics used to establish persistence on a system.
• Suspicious Files and Applications: The presence of unrecognized executable files (.exe), scripts (.ps1, .bat), or archiving tools in temporary folders or system directories suggests unauthorized activity.
• Disabled Security Tools: Attackers frequently attempt to disable antivirus software, firewalls, and logging services to evade detection. The sudden termination of security agents is a critical indicator of compromise.
• Anomalous System Processes: Processes running from unusual paths, or legitimate system processes (like svchost.exe or powershell.exe) behaving abnormally, often indicate process injection or living-off-the-land techniques.

Authentication and User Account Indicators

Compromised credentials are one of the most common entry points for hackers. Monitoring user account activity helps identify when credentials have been weaponized:

• Spikes in Failed Login Attempts: A sudden surge in failed logins for a specific account, or across multiple accounts, typically indicates a brute-force or credential-stuffing attack.
• Privileged Account Creation: The unauthorized creation of new administrator or high-privilege accounts is a classic sign of an attacker attempting to secure permanent access to the network.
• Impossible Travel Anomalies: When a single user account logs in from two distant geographic locations within a timeframe that makes physical travel between them impossible, it indicates credential sharing or theft.
• Abnormal Access Times: Users accessing sensitive databases or systems outside of their normal working hours, without prior authorization, warrants immediate investigation.