Skip to content ↓ | Skip to navigation ↓

For a long time now, I’ve been talking about how to detect incidents early by identifying “attack precursors” and other leading indicators of breaches and security compromises.  As a matter of fact, Tripwire’s “Cybercrime Controls” were designed to do just that and are being continuously improved.

For example, our Cybercrime Controls continuously monitor and detect things like:

  • – people trying to cover their tracks or obscure their presence on your systems;
  • – signs of ARP cache poisoning, ARP spoofing, and other man-in-the-middle attacks;
  • – suspicious changes in listening ports, system services and drivers, startup tasks, and scheduled tasks;
  • – anomalous permissions changes;
  • – changes in local firewall configurations and local user accounts;
  • – changes in DNS servers or IP routing;
  • – symptoms or presence of root kits;
  • – and many others…
All of these items can provide early indications of bad actors, and help you identify and contain security incidents before they result in loss.

I hereby Dub Thee “Indicators of Compromise”

I’m pleased to see that those precursors are now getting the attention they deserve and thanks to security firm Mandiant, they now have a common name:  “Indicators of Compromise.”

Indicators of Compromise, or IOC’s, are being actively discussed and pursued in the broader infosec practitioner and vendor communities.  This focus on codifying IOC’s is a nice step forward in making it easier to share threat data across organizations, and I think it represents a significant leverage point for advancing the state of the art in information security.

If you want a good overview from Mandiant, check out this presentation on “Using Indicators of Compormise,” from the US-CERT site.  Participating in data sharing around IOC’s is  also getting easier – check out OpenIOC, which is an open source framework for sharing threat information and other tools to help us share ways to detect threats more quickly and more proactively.

I look forward to a day when we see the average time to discover breaches decreases dramatically in Verizon’s Data Breach Investigations Report, and I think embracing and improving our ability to identify Indicators of Compromise will help us get there.  What do you think?


Image courtesy of ShutterStock