Indicators of Compromise 2.4

Question 1

An event that indicates an intrusion is called an […]

Ex:
- Unusual amount of network Traffic
- Change to file hash values
- Irregular international traffic
- Change to DNS data

Answer 1

Indicator of Compromise

Question 2

IoC - […]

• Credentials aren’t working
• Exceeded login attempts
• Account possibly administratively disabled

Answer 2

Account lockout

Question 3

IoC - […]

• Having two of the same user accounts logged in at different locations

Answer 3

Concurrent session usage

Question 4

IoC - […]

• Once an attacker gains access to systems, they might disable:
• Auto Updates
• Links to Security Patches
• Anti Malware sites / removal tools

Answer 4

Blocked Content

Question 5

IoC - […]

• Login in Vernon, NJ (Headquarters)
• Three minutes later a login from Russia
• Log analysis

Answer 5

Impossible travel / logins from very far away

Question 6

IoC - […]

• Every attackers action has an equal and opposite reaction
• An unusual network spike at 3am (File Transfer from attacker)
• Firewall logs showing and outbound transfer to an unknown IP address

Answer 6

Resource Consumption

Question 7

IoC […]

• A server is down
• The network is not functional
• Encrypted data (Ransomware)
• Brute force attack that locks account access

Answer 7

Resource Inaccessibility

Question 8

IoC - […]

• Logs are sent in the wrong timeframe
• Essentially logs that are out of place (You didn’t do it so why is it there?)

Answer 8

Out of Cycle Logging

Question 9

IoC - […]

• An attacker will try to cover their tracks by removing these

Answer 9

Missing Logs

Question 10

IoC - […]

• Private organizational data is exfiltrated and posted
• Either a portion of it or all of it is posted, usually for ransomware

Answer 10

Published / Documented