What are IOC examples?

by
What are IOC examples

Indicators of Compromise (IOCs) are pieces of forensic data, such as virus signatures and IP addresses, that can identify threat actors and cyber intrusions. IOCs are an important part of threat intelligence and are used by security teams to detect and respond to breaches.

What are some common types of IOC?

There are many different types of IOCs that can indicate a system compromise or cyberattack. Some of the most common IOC examples include:

  • IP addresses – The IP addresses associated with a threat actor’s infrastructure or command and control servers.
  • Domain names – Domain names registered by a threat actor or linked to malicious infrastructure.
  • File hashes – The MD5, SHA1, or SHA256 hashes of known malware files.
  • URLs – URLs found in phishing emails, exploits, or pointing to malware/command and control servers.
  • Email addresses – Email addresses used by threat actors for phishing or social engineering.
  • Registry keys – Suspicious or malicious registry keys created during installation/execution of malware.
  • Mutexes – Named mutexes associated with malware processes.
  • File names – Names of known malware files or tools used by attackers.
  • User agent strings – User agent strings from botnet traffic or phishing kits.

IOCs can come from many different sources including endpoint detection and response tools, firewalls, IDS/IPS, sandboxes, SIEMs, threat intelligence feeds, and malware analysis.

Why are IOCs useful for cybersecurity teams?

IOCs are extremely useful for security analysts and incident responders because they allow rapid identification of threats and breaches. Some of the key ways IOCs improve security operations include:

  • Early detection – Monitoring network traffic and endpoints for known IOCs enables early breach detection. Security teams don’t need to wait until large-scale damage occurs.
  • Faster response – When IOCs are detected, analysts can quickly determine scope, contain threats, and remediate.
  • Increased visibility – Feeding IOCs into SIEMs and log analysis tools provides greater visibility across the environment.
  • Trend analysis – Understanding patterns in IOCs over time enables analysts to better predict future attacks.
  • Threat intelligence – IOCs are the building blocks of threat intelligence. Understanding tactics, techniques, and procedures (TTPs) based on historical IOCs arms defenders.

Overall, leveraging IOC data allows security teams to turn the tables on attackers and more proactively defend their environments.

What are some best practices for working with IOCs?

To leverage IOCs most effectively, security teams should follow these best practices:

  • Have a centralized repository – Use a threat intelligence platform (TIP) or SIEM to centrally store and manage IOC data.
  • Enrich with context – Augment raw IOCs with additional context like timestamps, related indicators, threat actor/campaign info, and confidence scores.
  • Focus on quality – Bad IOCs create false positives and waste analyst time. Continuously vet and prune your IOC lists to keep them clean.
  • Leverage automation – Use scripts, AI, and automation to quickly ingest, parse, and action on new IOC data.
  • Share responsibly – Practice responsible disclosure if sharing IOCs, respecting affected parties’ timelines and constraints.
  • Update regularly – Threats evolve quickly, so continuously feed in new IOCs from both internal and external sources.

Following these best practices allows organizations to build an IOC program that enhances detection and response capabilities.

What are some common sources of IOCs?

IOCs can come from a diverse set of internal and external sources. Some of the most common IOC sources include:

  • Threat intelligence feeds – Commercial and open-source threat intel feeds curate IOC data from around the globe.
  • CERTs/CSIRTs – Cyber Emergency Response Teams and Computer Security Incident Response Teams share IOCs from reported incidents.
  • Malware repositories – Sites like VirusTotal let you extract IOCs from scanned malware samples.
  • Sensors and logs – Endpoint, network, application, and cloud-native sensors generate security event logs packed with IOCs.
  • Sandboxes – Dynamic malware analysis sandboxes extract IOCs as part of behavioral threat analysis.
  • Incident response – IOCs are identified during forensic investigation of security incidents.
  • Threat exchanges – Platforms like the Cyber Threat Alliance and MISP enable sharing of IOC data.

Care should be taken to evaluate the credibility of both sources providing IOCs as well as the IOCs themselves. With good curation though, security teams can tap into massive amounts of crowd-sourced IOC data to boost detection capabilities.

What are some common IOC formats?

To standardize and simplify IOC exchange, structured data formats have been developed. Some of the most prevalent IOC formats include:

  • OpenIOC – XML format developed by Mandiant for sharing technical characteristics of threats.
  • STIX/TAXII – Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Intelligence Information (TAXII) are commonly used standards developed for cyber threat intelligence by MITRE.
  • CSV – Simple comma separated value (CSV) lists contain basic IOC types and values.
  • MISP – The Malware Information Sharing Platform (MISP) format includes expanded IOC fields and cyber threat intelligence data.
  • YARA – YARA rules allow you to describe malware families based on textual or binary patterns.
  • Sigma – Generic Signature format for SIEM systems.

Standard formats make it easier to ingest IOCs from any source into your security infrastructure. They also facilitate automation of IOC processing using scripts and parsers.

What are some common ways to leverage IOCs?

Once collected, there are many practical applications of IOC data for security teams. Common ways to leverage IOCs include:

  • Blocklists – Build network blocklists and domain blacklists from IP addresses, DNS names, and URLs.
  • EDR queries – Scan endpoints for presence of file hashes, registry keys, and other IOCs.
  • Host-based rules – Create YARA, Sigma, or other rules to detect IOCs on hosts and in network traffic.
  • Reputation enrichment – Add IOC data to identify and prioritize high-fidelity alerts.
  • Threat hunting – Proactively search through logs and packets for IOCs associated with threat actors.
  • Sandboxing – Feed IOCs into your sandbox to alert on associated malware.

Getting the most value out of IOCs requires baking them into detective, preventative, and proactive security controls across the organization.

What are some challenges with using IOCs?

While extremely useful, IOCs do come with some inherent challenges:

  • Short shelf-life – Attackers rapidly change infrastructure, domains, files, IPs, and other IOCs.
  • False positives – Stolen infrastructure or insufficient vetting can lead to false positives.
  • Evasion – Adversaries purposely vary attacks to avoid matching on known IOCs.
  • Volume – The raw amount of IOC data can be overwhelming for security teams to ingest and analyze.
  • Context gaps – IOCs without context on the related threat actor or campaign have limited value.

Even with these drawbacks, leveraging IOCs in a balanced security program is invaluable. Teams just need to understand the limitations and compensate through threat hunting, behavioral analysis, and other means.

Example IOC Types

To make IOC concepts more concrete, it helps to provide specific examples across different IOC types:

IP Addresses

  • 178.32.180[.]97 – Tied to Sandworm APT command and control infrastructure
  • 103.255.61[.]154 – Used to deliver Flame malware
  • 121.42.153[.]198 – Linked to exploit kit and phishing campaigns

Domain Names

  • mpnets[.]eu – Command and control domain for Trickbot botnet
  • freemilk[.]co[.]uk – Phishing domain registered by APT29
  • osdsoft[.]com – Chinese APT domain for phishing and malware

File Hashes

  • 2cb42b8727fed26017d952da456827c8 – Trojan.Ursnif variant
  • 17e0f823dfba8e28d6ba447401d11037 – Poison Ivy RAT malware
  • ae12bb54af31227017feffd9598a6f5e – Gh0stRAT remote access tool

Email Addresses

  • johnmiller@contractor[.]com – Phishing persona for contractor fraud
  • support@appleid[.]foundation – Spoofed Apple ID phishing
  • rating-master@gmail[.]com – Tied to sextortion scams

Registry Keys

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\malware – Malware persistence
  • HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\policies\system – Disables Windows defender
  • HKEY_CURRENT_USER\Software\Google\Chrome\User Data\Default\preferences – Chrome password stealing

URLs

  • hxxp://103.255.61[.]154/exploit.pdf – Exploit kit landing page
  • hxxp://appleid[.]foundation/billing[.]php – Apple ID phishing URL
  • hxxp://freemilk[.]co[.]uk/freemilk-campaign[.]zip – Malware download URL

These specific examples illustrate what real-world IOCs look like across different categories. They can be incorporated into threat intelligence feeds, detective controls, and threat hunting activities to identify malicious activity.

Conclusion

IOC examples like IP addresses, file hashes, domains, and registry keys provide valuable clues that allow security teams to detect, scope, and respond to intrusions faster. By ingesting IOCs from both external and internal sources, tuning detection systems and policies, and proactively hunting, organizations can leverage these indicators to enhance their security postures. However, care should be taken to vet IOC sources, corroborate with other evidence, and update regularly given the dynamic threat landscape. IOC data is most powerful when handle professionally as part of an intelligence-driven security program.