Indicator of Compromise (IoC)

Question 1

What are the network-related IoCs?

Answer 1

• malicious domains and/or IP addresses
• sudden large bandwidth utilization (unusual traffic spikes)
• beaconing
• irregular P2P communication
• activity on unusual ports
• network scanning and reconnaissance
• unusual HTTP/DNS/TLS/FTP activity
• signs of data exfiltration

Question 2

What are the host-related IoCs?

Answer 2

• unusually high processor consumption
• unusually high memory consumption
• unusually high drive capacity consumption
• unauthorized software
• unusual processes with strange names
• unauthorized changes (configuration)
• unauthorized privileges
• abormal OS process behavior
• file system changes (new directories, modification of current ones)
• registry changes
• unauthorized scheduled tasks

Question 3

What are the application-related IoCs?

Answer 3

• unauthorized access
• unusual network traffic
• suspicious database queries
• unauthorized modifications to code
• unauthorized access to sensitive data
• unauthorized execution of priviledged actions
• unauthorized creation of user accounts
• unexpected application behavior
• unauthorized use of application resources
• unauthorized installation of software
• unauthorized configuration changes
• unauthorized access to application logs

Question 4

What is intelligence?

Answer 4

enriching information gathered from outside sources that are associated with the IoCs

Question 5

Why is intelligence important when dealing with a security incident?

Answer 5

gathering already known information about the malware helps organizations to make decisions when handling the incident

Question 6

There is a consistent surge in file write operations on your server on a daily basis. What type of attack is likely to blame?

Answer 6

Ransomware attack