Interview Bank
  • Interview Bank
  • Web
    • Persistent Connection and Non Persistent
    • CDN
    • Code Review
    • JWT
      • JWT vs Session Based Authentication
      • JWT Challenge
      • JWE
      • JWS
    • Content Security Policy (CSP)
    • Same-origin Policy (SOP)
    • Cross-Origin Resource Sharing (CORS)
      • Exploiting CORS
    • HTTP Strict Transport Security (HSTS)
    • SQL Injection (SQLi)
    • Password Encryption in Login APIs
    • API Security
      • API Principles
    • Simple bypass PHP
    • Server-side Template Injection (SSTI)
    • Javascript Object and Inheritance
    • HTTP/2
    • Cookie vs Local vs session Storage
    • XML External Entity (XXE)
    • What happened when enter domain name in browser
    • Prototype Pollution - Part 1
    • Prototype Pollution - Part 2
    • Nginx vs Apache
  • OT Security
    • Securing Operational Technology: Understanding OT Security
  • Quantum Computing
    • Quantum Computing: Unveiling the Cryptographic Paradigm Shift
    • Quantum Obfuscation: Shielding Code in the Quantum Era
  • DevSecOps
    • Continuous Integration/Continuous Deployment Pipeline Security
    • Chaos Engineering Overview
      • Security Chaos Engineering
    • Mysql VS redis
    • Kubernetes (k8s)
    • How MySQL executes query
    • REDIS
    • Difference between cache and buffer
  • Windows
    • Pentesting Active Directory - Active Directory 101
    • Pentesting Active Directory - Kerberos (Part 1)
    • Pentesting Active Directory - Kerberos (Part 2)
    • AD vs Kerberos vs LDAP
    • Active Directory Certificate Services Part 1
    • Unconstrained Delegation
    • AS-REP Roasting
    • NTLM Relay via SMB
    • LLMRN
    • Windows lateral movement
    • Constrained Delegation
    • Resource-Based Constrained Delegation
    • IFEO (lmage File Execution Options) Hijacking
  • UNIX
    • Setuid
  • Large Language Models (LLMs)
    • Tokens
    • LangChain
    • Integration and Security
  • Android
    • Keystore
  • Red team development
    • Secure C2 Infrastructure
    • P Invoke in c#
    • D Invoke
    • ExitProcess vs ExitThread
  • Blue Team
    • Indicators of Compromise
    • Methods to prevent Email domain spoofing
    • Windows Prefetching
  • CVE
    • XZ Outbreak CVE-2024-3094
    • Log4J Vulnerability (CVE-2021-44228)
    • SolarWinds Hack (CVE-2020-10148)
    • PHP CGI RCE (CVE-2024-4577)
    • Windows Recall
  • Software Architecture
    • Microservices
    • KVM
  • Docker
    • Overview
    • Daemon Socket
    • Tips to reduce docker size
  • Blockchain
    • Overview
    • Smart Contract
  • Business Acumen
    • Market Research Reports and Perception
    • Understanding Acquisitions
    • Cybersecurity as a Business Strategy
  • Cyber Teams
    • Introduction to Purple Teaming
  • Malware
    • Dynamic Sandbox Limitations
Powered by GitBook
On this page
  1. Blue Team

Indicators of Compromise

PreviousExitProcess vs ExitThreadNextMethods to prevent Email domain spoofing

Last updated 1 year ago

Decided to share a bit about blue team stuff since there isn't much blue team stuff in this interview bank. I decided to leverage on my experience as a SOC Analyst ahahaha. Indicators of Compromise is a must-know for EVERY blue teamer.

What are Indicators of Compromise (IOC)?

An Indicator of Compromise (IOC) is a piece of digital forensics that suggests that an endpoint or network may have been breached. So yes, IOCs are evidences of potential intrusion on a host system or network. It allows Infosec professionals and system administrators to detect intrusion attempts or other malicious activities. Many security researchers use IOCs to better analyze a particular malware's techniques and behaviors. IOCs are also used to provide actionable threat intelligence (also known as Cyber Threat Intelligence) that can be shared within the community to further improve an organization's incident response and remediation strategies. Some IOCs are found on event logs and timestamped entries in the system. Security professionals often employ the use of a blacklist to monitor for IOCs to help mitigate and prevent breaches or attacks.

Examples of IOCs

  • Unusual traffic going in and out of the network

  • Unknown files, applications, and processes in the system

  • Suspicious activity in administrator or privileged accounts

  • Irregular out-of-the-ordinary traffic.

  • Anomalous spikes of requests and read volume in company files.

  • Network traffic that traverses in unusually used ports.

  • Tampered file, DNS and registry configurations as well as changes in system settings

  • Large amounts of compressed files and data unexplainable found in locations where they shouldn't be.

Type of IOCs

There are different types of IOCs

  • File-based Indicators - These are usually associated with a specific file. These types of indicators would usually come in a hash format (MD5, SHA1, SHA256)

  • Network-based Indicators - There are indicators associated with a network and they would come in the form of an IP address or domain name.

  • Behavioural Indicators - Some indicators are associated with the behaviour of a system or network, such as unusual network traffic or unusual system activity. You can view the to look at some of these examples.

  • Artefact-Based Indicators - These are indicators associated with the artefacts left behind by an attacker, such as a registry key or a configuration file.

Interview Questions

1) Define the term "Indicator of Compromise" (IOCs) and explain how they are used in incident response.

2) What is the difference between Indicators of Compromise (IOCs) and Indicators of Attack (IOAs)?

3) Do you think having Indicators of Compromise (IOCs) is enough? Explain why.

Author

MITRE ATT&CK framework
Isaac