Cyber Security

What are the top indicators of compromise to look for when investigating a potential data breach?

KE Asked by Kevin Martinez · 18-11-2024
0 upvotes 17,473 views 0 comments
The question

I’m new to the SOC team and I want to improve my manual threat hunting skills. Beyond just looking for high CPU usage, what are the subtle "Indicators of Compromise" (IoCs) that often go unnoticed in the logs? Are there specific patterns in DNS traffic or PowerShell execution that I should be prioritizing when I’m scanning our SIEM for suspicious activities?

 

3 answers

0
E
Answered on 20-11-2024

Focus on "Beacons" and "Living off the Land" techniques. Watch for unusual outbound traffic to unknown IPs on a regular heartbeat; this often indicates Command & Control (C2) communication. In PowerShell, look for encoded commands (-e or -enc) which are used to hide malicious scripts from basic log filters. Another big one is DNS tunneling—look for a high volume of DNS requests to a single unusual domain. Also, keep an eye on "Lateral Movement" logs, such as a user suddenly logging into fifty different workstations in an hour. These behavioral anomalies are much harder for attackers to hide than simple file-based malware.

0
CH
Answered on 22-11-2024

Do you have a baseline for "Normal" traffic in your network, or are you trying to identify "Abnormal" activity without knowing what a quiet day looks like? 

ST 23-11-2024

Charles, that's a great point. We spent the first month just documenting the usual "chatter" from our software updates and cloud syncs. Now that we have that baseline, the anomalies stand out like a sore thumb. For instance, we caught a developer using an unauthorized VPN because their traffic patterns shifted from a standard 9-to-5 window to midnight bursts. Without that baseline, we would have just assumed it was a background system process. Understanding your environment's "heartbeat" is the most important skill for any successful threat hunter.

0
L
Answered on 24-11-2024

Watch for "Privilege Escalation" attempts. Any account that suddenly attempts to access a Domain Controller or a password vault should trigger an immediate high-priority alert. 

KE 25-11-2024

Exactly, Linda. Monitoring your "Crown Jewels" for any unauthorized access attempts is the best way to catch an intruder before they can do real damage.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session