Most Common Indicators of Compromise

The threat of cyber attacks looms large, and one of the key defenses is the ability to detect early signs of intrusion.

Together we will delve into the most common indicators of compromise, providing you insights into the subtle yet critical signs that often precede a major security breach.

Most Common Indicators of Compromise in 2024

1. Unusual Outbound Network Traffic:
   One of the most prominent indicators of compromise is unusual outbound network traffic. This includes significant spikes in data transfer or communication to unfamiliar external servers, potentially signaling unauthorized data exfiltration.
2. Anomalies in Privileged User Account Activity:
   Irregular activities in privileged user accounts, such as unexpected logins or execution of atypical commands, are crucial signs of a potential breach. Privileged accounts, due to their elevated access, are often targeted by attackers.
3. Geographical Irregularities in Access Patterns:
   Access requests from geographically inconsistent locations compared to normal user profiles can indicate compromise. This includes logins from foreign countries or access from multiple locations in a short time frame, suggesting possible credential theft.
4. Other Login Red Flags:
   Multiple failed login attempts or logins from unfamiliar devices are important to monitor. These signs can indicate attempted brute force attacks or unauthorized access attempts.
5. Swells in Database Read Volume:
   A sudden increase in database read volume may indicate unauthorized data access, often seen in reconnaissance stages of a cyber attack. This can suggest an adversary is attempting to extract valuable data.
6. Changes in HTML Response Sizes:
   Unusual variations in HTML response sizes can signal a compromise, potentially indicating code injection or traffic redirection, often used in phishing or malware deployment.
7. High Volume of Requests for the Same File:
   Frequent requests for the same file, especially within a short period, can point to an exploit attempt. This could be an early stage of a more extensive attack, including ransomware or other malware deployment.
8. Mismatched Port-Application Traffic:
   Traffic on ports that do not typically align with the application’s expected use can suggest misuse. For example, file transfer protocols observed on ports designated for web traffic may indicate covert operations.
9. Suspicious Registry or System File Changes:
   Unauthorized changes to registry entries or system files are strong indicators of a compromised system. Such changes could be part of an attacker’s strategy to gain persistence or control over the system.
10. DNS Request Anomalies:
    Atypical patterns in DNS requests, such as excessive requests to unknown or suspicious domains, can indicate a compromised network. This may reveal command and control communications or other malicious network activities.

Support from Threat Intelligence Lab

Do you want to know if you are missing something in your monitoring? Do you want to check the quality of the signatures, processes and methods you have in place?

We can help. Contact us to have a chat to see what we can do for you.