8 types of Indicators of Compromise (IoCs) and how to recognize them

by | July 1, 2021 | How to

With the help of the Indicators of Compromise, you and your team can identify malicious activity or security threats, such as data breaches, insider threats, or malware attacks. Therefore, security breaches can take different forms: unknown files on the system, strange network patterns, unusual account behaviors, or unexplained configurations. In this article, you will learn how to recognize eight types of indicators to protect your business!

What exactly are the Indicators of Compromise?

Indicators of compromise or IoCs are clues and evidence of a data breach, usually seen during a cybersecurity attack. These indicators can reveal that an attack has happened, what tools were used in the attack, and who’s behind them. They are typically collected from software, including antivirus and antimalware systems; for a better understanding, try to think of indicators of compromise as the breadcrumbs left by an attacker after a cybersecurity attack.

How do IoCs work?

When a malware attack happens, traces of its activity can be left in the system and log files. If a security breach is found, the IoC or “forensic data” is collected from these files and by IT professionals. These clues can be used to determine whether a data breach has occurred or that the network is under attack. Identifying IOCs is almost entirely handled by trained information security professionals. Usually, these people use advanced technology to scan and analyze large network traffic and isolate suspicious activities.

The most effective cybersecurity strategy combines human resources with advanced technological solutions (such as AI, ML, and other forms of intelligent automation) to better detect abnormal activity and increase response and remediation time.

How can you recognize the indicators?

There are some common IoCs that enterprise organizations should know to detect and investigate! Here are some more common indicators of compromise for you to remember:

1. Unusual outbound network traffic

  • Anomalies in network traffic patterns and volumes are one of the most common signs of a security breach.
  • Although keeping intruders out of your network is becoming increasingly difficult. Some experts say that it might be easier to monitor outgoing traffic for potential Indicators of Compromise.
  • When an intruder tries to extract data from your network or when an infected system relays information to a command-and-control server, unusual outbound network traffic may be detected.

2. Activity from strange geographic areas

  • If, for example, your entire business operation is based in Los Angeles, United States, you should be shocked to see a user connecting to your network from another place, especially from another country with a bad reputation for international cybercrime.
  • Benjamin Caudill, the principal consultant for Rhino Security, says that: “As to data-breach clues, one of the most useful bits I’ve found is logs showing an account logging in from multiple IPs in a short time period, particularly when paired with geolocation tagging. More often than not, this is a symptom of an attacker using a compromised set of credentials to log into confidential systems.”
  • Monitoring IP addresses on the network and where they come from is an easy way to detect cyber attacks before they can do real damage to your organization.
Multiple connections to your accounts from unexpected locations could be a good indicator of compromise
Multiple connections to your accounts from unexpected locations could be a good indicator of compromise

3. Unexplained activity by Privileged User Accounts

  •  In complex cyberattacks, such as advanced persistent threats, a common method is to compromise low-privileged user accounts before escalating their privileges and authorizations or exposing the attack vector to accounts with more privileges.
  • When security operators notice suspicious behavior from privileged user accounts, this may be evidence of internal or external attacks on the organization’s systems and data.

4. Substantial rise in database read volume

  • Most of the companies store their most personal and confidential data in database format. Therefore, your databases will always be a prime target for attackers.
  • A spike in database read volume represents a good indicator that an attacker is trying to infiltrate your data.

Kyle Adams, chief software architect for Junos WebApp Secure at Juniper Networks, says that:

“When the attacker attempts to extract the full credit card database, it will generate an enormous amount of read volume, which will be way higher than you would normally see for reads on the credit card tables.”

Kyle Adams

5. High authentication failures

In account takeovers, attackers use automation to authenticate using phished credentials. A high rate of authentication attempts might indicate than someone has stolen credentials and is attempting to find an account that gives access to the network.

6. Lots of requests on important files

  • Without a high-privileged account, an attacker is forced to explore different resources and find the right vulnerability to access files.
  • When the attackers find signs that an exploit might be successful, they’ll often use different permutations to launch it.
  • Kyle Adams stated the following: “you might see a single user or IP making 500 requests for ‘join.php,’ when normally a single IP or user would only request that page a few times max.”

7. Suspicious configuration changes

You may not even know, but changing configurations on files, servers, and devices could give the attacker a second backdoor to the network. Changes could also add vulnerabilities for malware to exploit.

8. Indicators of DDoS attacks (Distributed Denial of Service)

  • These attacks happen when a malicious actor tries to shut down a service by flooding it with traffic and requests from a network of a controlled machine, called a botnet.
  • DDoS are frequently used as smokescreens to camouflage other more harmful attacks.
  • Sings of DDoS: slow network performance, unavailability of websites, firewall failover, back-end systems working at max capacity for unknown reasons.
  • Ashley Stephenson, CEO at Corero Network Security, says that:
Distributed Denial of Service attacks could also be an indicator of compromise
Distributed Denial of Service attacks could also be an indicator of compromise

“In addition to overloading mainstream services, it is not unusual for DDoS attacks to overwhelm security reporting systems, such as IPS/IDS or SIEM solutions. This presents new opportunities for cybercriminals to plant malware or steal sensitive data. As a result, any DDoS attack should also be reviewed for related data breach activity.”

Ashley Stephenson


After an attack, IoC cybersecurity measures can be used to establish what went wrong so that your business can avoid future exploits from the same vulnerability. It is important to apply to monitor on the network to detect an attack, but for investigations, logs and audit trails are just as important. The more rigorous logs and audit trails organizations have, the more effective their investigation during incident response! To prevent the attacks and save your business, make sure to observe in time those previous red flags we told you about!

by Andreea Popa

Content writer for Attack Simulator, delivering your daily dose of awareness for cyber security! Love to write passionately about any subject and my mainly inspiration are people's stories. You can also find me on social media, for some more friendly things!

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.