Indicators of Compromise 2.4 Flashcards
1
Q
Indicators of Compromise (IoC)
A
- ## An event that indicates an intrusion with high confidence.
2
Q
Common Indicators
A
- Unusual amount of network activity
- Change to file hash values
- Irregular international traffic.
- Changes to DNS data.
- Uncommon login patterns.
- Spikes of read requests to certain files.
3
Q
Account Lockout
A
- A temporary blocking of the user’s ability to log into a system.
- Can be considered a Indicator of Compromise.
4
Q
Concurrent Session Usage
A
- An indicator of compromise.
- Multiple account logins from multiple locations.
- Difficult to track due to user capabilities in having accounts on multiple devices.
5
Q
Purpose of Blocking Content
A
- While using a compromised account, attacker wants to stay on the system as long as possible.
- Attackers can use malware to Block Content.
6
Q
Type of Block Content
A
- Auto updates
- Links to security patches
- Third-party anti-malware sites
- Removal tools
7
Q
Impossible Travel
A
- When the logs show a two logins but at different locations. Especially within a short amount of time.
8
Q
Resource Consumption
A
- A system does not have all the resources it needs to continue to function.
- Can be an indicator a system is being compromised.
9
Q
Signs of Resource Consumption
A
- Increased bandwidth usage
- Firewalls logs showing an outgoing transfer.
10
Q
Resource Inaccessibility
A
- Server is down.
- Network disruption
- Server outage
- Encrypted data
- Brute force attack resulting in a locked account.
11
Q
Out-of-Cycle Logging
A
- Logs can be an indicator of compromise.
- Information within a log should not be there at that particular time frame.
12
Q
Missing Logs
A
- Attackers can try to cover up their tracks by removing logs of their activities.
- Logs must be secured and monitored
13
Q
Types of Logs
A
- Authentication logs
- File access logs
- Firewall logs
- Proxy logs
- Server logs
14
Q
Published/Documented Data
A
- Clear indication of compromised.
- Attackers will make public the sensitive data of an organization often when performing a ransomware attack.