Forensics Processing: Indicators of Compromise

By Jared McCann on December 8, 2023

Introduction

Indicators of Compromise (IOCs) are a key feature to detect if a network or system was subject to a cyber-attack. They can give information about when a cyber-attack occurred, what IP addresses were used, what files were accessed or modified, and many other things. Understanding how to identify IOCs and how to interpret them is an important component of the digital forensics process.

What are IOCs

IOCs are any number of indicators that appear as irregularities in a system or network. These indicators could be irregular network traffic, atypical account behavior, especially in privileged accounts, unusual sign-in attempts, and other irregular or atypical system or network events. [1] What these IOCs reveal are things like tactics, techniques, and procedures used during the attack, event severity, who the threat actors might be, and where teams should focus their response and mitigation efforts. [2]

How to identify IOCs

There are several ways IOCs can be identified in a system. At the enterprise level, this usually involves specialized software that is constantly searching for these indicators. At a smaller business or consultant level, this will involve using open-source tools. One of the best ways is to use identified malware to search for IOCs. Most malware will have other built-in features, such as connections to command and control (C2) servers or other specific features. This can be used to help identify IP addresses or files that were modified or accessed by the malware. Some of the ways this is done are through using hash identification, strings and RegEx functions, and other built-in tools. [3] If working off a system image after the attack, tools like Autopsy on Windows or Sleuth Kit on Linux can greatly streamline this process.

Using IOCs in an investigation

There are a number of ways to utilize IOCs in your investigation. One of these is to follow a framework to document information. OpenIOC is one such framework. Data can be taken from several different sources and ingested following the OpenIOC framework to give a unified view of the issue at hand. [4] Having this unified view is important to building reports and presenting your findings clearly and concisely. It is also important to be able to see the data in such a way that allows for better decision-making. [5] There are plenty of other tools and techniques available to use as well that will fit different scenarios better when performing a specific investigation.

Conclusion

IOCs are key in any post-attack activities. Especially for investigative purposes, IOCs form the building blocks. Without knowing how to identify IOCs, the speed and effectiveness of a forensics investigation are greatly reduced, as well as the ability to respond. Knowing how to use them, for both reporting and recommendation purposes effectively, is critical for any digital forensics investigator.

References

[1] Microsoft, “What are indicators of compromise (IOCs)?” https://www.microsoft.com/en-us/security/business/security-101/what-are-indicators-of-compromise-ioc

[2] CISA, “Using Indicators of Compromise (IOC) for Incident Response,” Mar. 29, 2022 https://www.npstc.org/download.jsp?tableId=37&column=217&id=4435&file=CISA_IMR108_IoC_220329_508.pdf

[3] Nasreddine Bencherchali, “Extracting Indicators of Compromise (IOCs) From Malware Using Basic Static Analysis,” Sept. 8, 2019 https://nasbench.medium.com/extracting-indicators-of-compromise-iocs-from-malware-using-basic-static-analysis-4b01e0be8659

[4] Hun-Ya Lock, “Using IOC (Indicators of Compromise) in Malware Forensics,” Feb. 21, 2013 https://sansorg.egnyte.com/dl/OOwrEB9NjA

[5] Forensic Focus, “Writing DFIR Reports: A Primer,” Feb. 4 2021 https://www.forensicfocus.com/articles/writing-dfir-reports-a-primer/