Indicators of Compromise 2.4 Flashcards

1
Q

Indicators of Compromise (IoC)

A
  • ## An event that indicates an intrusion with high confidence.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Common Indicators

A
  • Unusual amount of network activity
  • Change to file hash values
  • Irregular international traffic.
  • Changes to DNS data.
  • Uncommon login patterns.
  • Spikes of read requests to certain files.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Account Lockout

A
  • A temporary blocking of the user’s ability to log into a system.
  • Can be considered a Indicator of Compromise.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Concurrent Session Usage

A
  • An indicator of compromise.
  • Multiple account logins from multiple locations.
  • Difficult to track due to user capabilities in having accounts on multiple devices.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Purpose of Blocking Content

A
  • While using a compromised account, attacker wants to stay on the system as long as possible.
  • Attackers can use malware to Block Content.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Type of Block Content

A
  • Auto updates
  • Links to security patches
  • Third-party anti-malware sites
  • Removal tools
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Impossible Travel

A
  • When the logs show a two logins but at different locations. Especially within a short amount of time.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Resource Consumption

A
  • A system does not have all the resources it needs to continue to function.
  • Can be an indicator a system is being compromised.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Signs of Resource Consumption

A
  • Increased bandwidth usage
  • Firewalls logs showing an outgoing transfer.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Resource Inaccessibility

A
  • Server is down.
  • Network disruption
  • Server outage
  • Encrypted data
  • Brute force attack resulting in a locked account.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Out-of-Cycle Logging

A
  • Logs can be an indicator of compromise.
  • Information within a log should not be there at that particular time frame.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Missing Logs

A
  • Attackers can try to cover up their tracks by removing logs of their activities.
  • Logs must be secured and monitored
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Types of Logs

A
  • Authentication logs
  • File access logs
  • Firewall logs
  • Proxy logs
  • Server logs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Published/Documented Data

A
  • Clear indication of compromised.
  • Attackers will make public the sensitive data of an organization often when performing a ransomware attack.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly