MODULE-1: Introduction to Cyber Threat Intelligence

 Cyber threat intelligence – Definition, examples, history,

 various cyber threats and their intensions for cyber-attacks, threat actors,
 difference between cyber security and cyber threat intelligence.
 Threat intelligence life cycle,
 Types of threat intelligence and its applications.

 Threat Intelligence: Introduction

Threat intelligence, commonly referred to as cyber threat intelligence (CTI), is data
gathered regarding ongoing or possible attacks against an organization from a
variety of sources. The data is subsequently processed, structured, and subjected to
analysis to reduce and mitigate cybersecurity threats.

Threat intelligence's primary goal is to highlight to organizations the many threats

they face from outside attacks, such as advanced persistent threats (APTs) and
zero-day threats.

Threat intelligence provides detailed information and context on individual threats,

such as who is attacking, their capabilities and motivations, and the indications of
compromise (IOCs). Organizations can use this information to make informed
choices on how to defend against the most harmful attacks.

Threat intelligence and cyber threat tools help organizations understand the risks of
different types of attacks, and how best to defend against them. Cyber threat
intelligence also helps mitigate attacks that are already happening. An organization’s
IT department may gather its own threat intelligence, or they may rely on a threat
intelligence service to gather information and advice on best security practices.

Threat intelligence allows organizations to be proactive instead of reactive when it

comes to cyber-attacks. Without understanding security vulnerabilities, threat
indicators, and how threats are carried out, it is impossible to defend against cyber-
attacks effectively. Threat intelligence can prevent and contain attacks faster,
potentially saving businesses hundreds of thousands of dollars.
  difference between cyber security and cyber threat intelligence

Cyber intelligence focuses on understanding the nature of the risks and threats
facing your organization. This means learning how to collect information about cyber
threats that are relevant to your organization, how to make sense of it, and how to
use that insight in order to respond effectively. This information can include the
methods and attacks used by adversaries, as well as the tools and infrastructure
they use. Cyber intelligence also includes data on how your attackers behave,
including the origins of their attacks, how they launch them, what they’re trying to
accomplish through those attacks, and so on.

Cyber intelligence helps you understand the attackers, their motives, their actions
and capabilities, and how they work. It is more than just data mining: it requires the
ability to analyze what’s happening in real time. The goal of cyber intelligence is to
reduce the impact of attacks on companies by providing proactive advice on how to
protect against threats.

Cybersecurity: Cybersecurity is about preventing attacks against your organization.

It’s about protecting an organization from being attacked by a malicious actor or
group of actors. Cybersecurity at its core is about defending against threats in order
to keep your organization secure.

Cybersecurity is all about protecting your computer systems from threats. Threats
can come in many forms, including viruses, spam, malware and ransomware.
Cybercrime and cyberterrorism are also threats to keep in mind when talking about
cybersecurity. Cyber security is concerned with protecting an organization’s critical
infrastructure from malware or unauthorized access.

There are some key differences between cybersecurity and cyber intelligence. Both
are important, but they serve different purposes. Cybersecurity is all about protecting
your computer systems from threats, while cyber intelligence focuses on
understanding the nature of those threats. This understanding is then used to help
protect your organization from future attacks by improving defence’s or taking
proactive measures like monitoring for malicious activity.

 various cyber threats and their intensions for cyber-attacks, threat

actors:
Cyber Threat Intensions for Threat Actors Summary
Name Attack
Stuxnet Disrupt Industrial Nation-State Stuxnet was a complex computer
Processes Actors worm designed to target and
disrupt Iran's nuclear program by
manipulating industrial control
systems. It was widely believed to
be a joint effort by the United
States and Israel.
WannaCry Ransom and Cybercriminals WannaCry was a ransomware
Data Encryption attack that spread globally in 2017.
It encrypted files on infected
systems and demanded a ransom
in Bitcoin for their release. It
exploited a vulnerability in the
Windows operating system.
Mirai Botnet Creation Hacktivists Mirai was a malware that targeted
Internet of Things (IoT) devices,
such as routers and cameras. It
enslaved these devices into a
botnet, which was then used to
launch large-scale DDoS attacks.
NotPetaya Data Destruction Nation-State NotPetya was a destructive
Actors malware disguised as
ransomware. It primarily targeted
organizations in Ukraine but
spread globally. It caused
widespread damage by encrypting
data and rendering systems
inoperable.
Heartbleed Information Software Heartbleed was a critical security
Theft Vulnerability vulnerability in the OpenSSL library,
used to secure communications

 Threat intelligence life cycle:

 Threat intelligence enables organizations to fight back against looming cyber
threats, it is the practice of collecting, processing and analysing data in the
hope of understanding a threat actor's motives, targets and attack behaviours.
It is relatively easy to convey the importance of threat intelligence and how it
benefits an organization, but the process of converting raw data into
intelligence is much more complex. For instance, raw data collected through
the use of tools and automation doesn’t equate to intelligence, only once this
data has been collected, processed and analysed can it be used as
actionable intelligence. This process is cyclical, as new questions and gaps in
knowledge are identified.
The threat intelligence lifecycle serves as a framework for threat intelligence
teams to outline and implement security measures more efficiently and
effectively. It is a continuous process of producing threat intel from raw data
that allows organizations to build defensive mechanisms to avert emerging
risks and threats. The threat intelligence lifecycle assists and guides
intelligence teams in building an efficient threat intelligence platform
The Five Phases of the Threat Intelligence Lifecycle

 Direction-The direction phase of the threat intelligence lifecycle refers to the

goals set for the threat intelligence program, which involves understanding and
asserting the business assets and processes that need to be protected. In
addition, the other objectives include studying the impacts of asset loss or process
interruption and the kind of threat intelligence that an organization needs. Once
 the intelligence needs are identified, an organization can articulate questions,
driving the need for information as per requirement.
 Collection-Collection is the process of accumulating information to address
significant intelligence requirements. Information gathering can take place in
several ways such as by extracting logs and metadata from security devices and
internal networks, subscribing to varied threat data feeds, or communicating with
knowledgeable sources. Typically, the data collected is an amalgamation of
finished information and threat intelligence raw data.
 Processing-The transformation of gathered information into a format consumable
by organizations is called processing. All the raw data collected needs to be
processed either by humans or machines. Organizations embrace different means
of processing for different collection methods.
 Analysis-Analysis refers to the process that converts processed information into
intelligence for decision making. The process of decision-making might involve
investigating a potential threat actor, actions that need to be taken to thwart an
attack, enriching threat intelligence to find meaningful and relevant data,
reinforcing security controls, improving your tactical threat intelligence, and much
more. Formatting information when presenting during this part of the intelligence
cycle is crucial.
 Dissemination-Every cybersecurity organization has different teams that can
benefit from a threat intelligence cycle. Delivering the finished intelligence output
to such organizations that need it is called dissemination. Some organizations
may require a data breach report, while others want reports on potential threats or
network security reports.
 Feedback-It is important to understand the intelligence requirement and priorities
of the teams consuming the threat intelligence. In the threat intelligence cycle,
getting constant feedback is necessary to understand the requirements of the
security professionals. Receiving feedback helps in producing accurate threat
intelligence feeds through timely assessments.

 Types of Threat Intelligence

Threat intelligence comes in four different types: strategic, tactical, technical, and
operational. To create a thorough threat assessment, all four are necessary.
There are different types of threat intelligence, from high-level, and non-technical
information to technical details about specific attacks. Here are a few different kinds
of threat intelligence:

 Strategic: Strategic threat intelligence is high-level information that puts the

threat in context. It is non-technical information that an organization could
present to a board of directors. An example of strategic threat intelligence is the
risk analysis of how a business decision might make the organization
vulnerable to cyber-attacks.
 Tactical: Tactical threat intelligence includes the details of how threats are
being carried out and defended against, including attack vectors, tools, and
infrastructures attackers are using, types of businesses or technologies that are
targeted, and avoidance strategies. It also helps an organization understand
how likely they are to be a target for different types of attacks. Cybersecurity
experts use tactical information to make informed decisions about security
controls and managing defences.
 Operational: Operational threat intelligence is information that an IT
department can use as part of active threat management to take action against
a specific attack. It is information about the intent behind the attack, as well as
the nature and timing of the attack. Ideally, this information is gathered directly
from the attackers, which makes it difficult to obtain.
 Technical: Technical threat intelligence is specific evidence that an attack is
happening or indicators of compromise (IOCs). Some threat intelligence tools
use artificial intelligence to scan for these indicators, which might include email
content from phishing campaigns, IP addresses of C2 infrastructures, or
artifacts from known malware samples.

Threat Intelligence tools:

A variety of threat intelligence tools are for sale or available at no cost through the
open-source community. They all have slightly different approaches to threat
intelligence gathering:

 Malware disassemblers: These tools reverse engineer malware to learn how it

works and help security engineers decide how to defend against future,
similar attacks.
  Security information and event management (SIEM) tools: SIEM tools allow
security teams to monitor the network in real-time, gathering information about
unusual behavior and suspicious traffic.
 Network traffic analysis tools: Network traffic analysis tools collect network
information and record network activity to provide information that makes
detecting an intrusion easier.
 Threat intelligence communities and resource collections: Freely accessible
websites that aggregate known indicators of compromise and community-
generated data about threats can be a valuable source of threat intelligence.
Some of these communities support collaborative research and provide
actionable advice on how to prevent or combat threats.

Organizations that are aware of emerging threats and know how to avoid them can
take action to prevent an attack before it happens. Gathering and reviewing threat
intelligence should be part of the enterprise security strategy for every organization.

MODULE-2: Threat Intelligence – Risk Management

 Importance of threat intelligence in risk management,
 benefits of threat intelligence to an organisation,
  characteristics of threat intelligence, threat intelligence enabled risk
management process,
 SOC- Security Operations Center – its functions,
 SIEM-Security Incident and Event Management Overview functioning,
benefits.

The purpose of risk management is not to chase the unattainable goal of perfectly
secure systems and a risk-free business. Rather, it is to make sure that you have
thought about what can go wrong, and that this thinking has influenced your
organisation's decisions.

5 Reasons why Threat Intelligence Matters to your Company”

Every business has certain core objectives regardless of size, industry, or geographic
location. These include growing revenue by increasing sales, reducing risk by reducing
costs, lowering expenses by cutting costs, increasing customer and employee satisfaction by
improving service, adhering to regulatory requirements by complying with laws and
regulations, and so on Until recently, it seemed that focusing on information security was an
afterthought. After all, security is an additional cost, and time spent training and tougher
authentications mean less time spent on other profitable tasks.

So why should businesses care about cybersecurity? And beyond that, why should they care
about understanding the key components of cybersecurity or security tools? As it turns out,
key components such as cyber threat intelligence can strategically guide security practices,
align organizational objectives and ensure the success of those objectives.

A few key areas where threat intelligence can have a positive impact on your business
objectives and increase your security posture.

1) Reducing Risk

Adversaries, or anyone with the intention and capability to do harm, are constantly
discovering new ways to infiltrate organizations' networks. Cyber threat intelligence provides
increased visibility across the threat landscape into existing threats and emerging cyber-
attacks. By acquiring this knowledge and applying it to your environment, you can reduce the
risk of data loss, prevent or minimize disruption to business operations, and increase your
understanding of the threat to help prevent future attacks.

2) Preventing Financial Loss

Not only do security breaches cost your organization in post-incident remediation and
restoration, but they can also include fines, investigations, and lawsuits that frequently run in
the millions of dollars. Arming your Security Operations Center (SOC) and Incident
Response teams with operational threat intelligence helps them make timely, informed
decisions to prevent system downtime, thwart the theft of confidential data, protect your
intellectual property, and save your organization's reputation and customers.

3) Maximizing Staffing Efficiency

Threat intelligence makes the security team you currently have incredibly more efficient and
less prone to burnout from alert fatigue. Manually validating and correlating threat
intelligence is time-consuming and resource-intensive. Leveraging Threat Intelligence
Solutions, like Anomaly Threat Stream, utilize artificial intelligence and security automation
to collect and correlate raw data and threat intelligence feeds to operationalize threat
intelligence. By integrating threat intelligence into your security infrastructure, you can lower
your security response times and cut down on false positives to allow your security team to
focus on what matters.

4) Investing Wisely in your Infrastructure

Along with freeing up your staffing for other needs, when you understand the cyber threat
landscape, you're able to identify the most relevant threats targeting your business to make
faster decisions and ensure your infrastructure is able to address these attack vectors. You
can also break down silos to increase communication between your security experts and
other stakeholders within your organization to align overall objectives.

5) Lowering Expenses

Building off the previous points, threat intelligence can ultimately lower your expenses and
save your business capital. An improved defensive posture informed by threat intelligence
helps defend against persistent threats to mitigate your organization's risk, lower your
response times, and maximize your security investments. With resources focused on the
real threats to your business, you'll be able to increase efficiencies in financial and human
resources.

In this digital age, investing in threat intelligence is rapidly becoming a necessity. The
significant benefits to the success of business operations in both the short term (proper
capital allocation, more efficient staffing, regulatory compliance, etc.) and the long-term
(reduced risk, financial loss prevention, etc.) make it a worthwhile investment.

Why risk management matters:

Risk management exists to help us to create plans for the future in a deliberate,
responsible and ethical manner. This requires risk managers to explore what could
go right or wrong in an organisation, a project, a programme or a service, and
recognising that we can never fully know the future as we try to improve our
prospects. Risk management is about analysing our options and their future
consequences, and presenting that information in an understandable, usable form to
improve decision making.

 SOC- Security Operations Center – its functions,

 A security operations center (SOC) is a centralized security operations center

that monitors and analyzes an organization’s network to detect and respond
to threats and vulnerabilities.
 A SOC typically includes analysts, managers, and tools to monitor security
events and alerts in real-time across multiple systems and applications
 In a cyber security operations center, all security events are monitored by
security teams, sometimes with the help of security automation tools. The
goal of a SOC is to respond to alerts as quickly and thoroughly as possible
before data is compromised.
 A well-managed SOC can help improve cyber defenses by providing visibility
into your network activity across all systems, applications and cloud
environments. It should also be able to detect when systems or applications
are compromised before they cause damage or allow attackers access to
other parts of your environment.

Benefits of a SOC
 The primary benefit of a SOC, security operations center, is that it keeps an
organization’s data, employees and assets secure. To do so, the SOC detects
and responds to security threats in real-time. The benefits of a SOC include:
 Better visibility into your network: Monitor alerts and identify anomalies in real-
time to improve visibility into your network traffic patterns.
 Faster Incident Response: The ability to analyze data in real-time provides
faster response times when incidents occur, enabling you to quickly identify
risks and take action before it’s too late.
 Reduce Costs: The SOC is key to preventing costly attacks. Clear SecOps
processes and security automation solutions help drive efficiency, which
results in reduced costs for enterprise teams.
 Ensure Compliance: For organizations in sectors with strict compliance
requirements, a SOC can help ensure security standards are upheld.

What Is SOC?
A team of IT security professionals that safeguard enterprises by continuously
monitoring, detecting, analyzing, and investigating cyber threats is called a
security operations center, or SOC. Networks, servers, computers, endpoint
devices, operating systems, applications, and databases are continuously
examined for signs of a cyber security incident. The SOC team analyzes feeds,
establishes rules, identifies exceptions, enhances responses, and keeps a
lookout for new vulnerabilities.

What Does a SOC do?

The SOC’s goal is to protect the organization by minimizing the damage
caused by cyberattacks while also keeping security operations running
smoothly.

The SOC’s job is to monitor all security systems and networks within an
organization – whether they’re on-site or remote – 24/7 to ensure that they’re
operating properly and aren’t compromised by hackers. They also watch for
any suspicious activity that might indicate an incoming attack or intrusion
attempt. These environments can be monitored at any scale, like remote and
worldwide with a global security operations center (GSOC).

The security operations center (SOC) is the hub of your organization’s security
infrastructure. The SOC is responsible for collecting, analyzing and responding
to alerts. The SOC usually includes a wide array of tools, such as SIEM and
SOAR solutions, firewalls, IDPs, backup tools and many others.

The SOC has several main functions:

Prevention and proactive monitoring: prevention is the best offense when it

comes to cyber-attacks. The SOC team will stay up-to-date with the latest
cybercrime trends, create incident response plans, patch vulnerabilities and
other major preventative measures.
 Alert management: The primary function of a SOC is to collect and manage
alerts generated by its monitoring tools. This includes technologies like
firewalls, IDPSs and SIEMs.

Security intelligence: The SOC provides real-time or near real-time information

about threats that have been detected by its security tools.

Incident response: A key role of the SOC is to respond to incidents as soon as

they occur. This includes following IR processes and procedures, such as
isolating endpoints, triaging threats, as well as properly documenting cases to
refer to later.

Recovery and remediation: The SOC is also responsible for post-incident

recovery and remediation, like in the event of a data breach. This includes
restoring systems and recovering lost data. In worst-case scenarios, like
ransomware attacks, this could also mean deploying backups when necessary.

Log management: It’s the job of the SOC to collect, maintain and review all
activity and communications throughout the whole organization. Managing
these logs helps SOC teams identify normal and abnormal behavior to find
threats.

Security posture refinement: Security posture is vital to the safety of business

assets. It’s up to the SOC to identify and actively refine an organization’s
overall security posture.

Compliance: Many industries – especially public and government sectors –

must comply with new regulatory requirements. It’s the responsibility of the
SOC to ensure security regulations are followed.
SIEM-Security Incident and Event Management Overview
functioning, benefits.

Security information and event management (SIEM) solutions use rules and
statistical correlations to turn log entries and events from security systems into
actionable information. This information can help security teams detect threats
in real time, manage incident response, perform forensic investigation on past
security incidents, and prepare audits for compliance purposes.
 The term SIEM was coined by Mark Nicolett and Amrit Williams, in Gartner’s
SIEM report, Improve IT Security with Vulnerability Management. They
proposed a new security information system on the basis of two previous
technologies: Security Information Management (SIM) and Security Event
Management (SEM).

Several years later, Gartner introduced a vision of a next-gen SIEM that goes
beyond rules and correlations. Next-gen SIEM incorporates two key
technologies: user and entity behavior analytics (UEBA) and security
orchestration and automation response (SOAR). These technologies enable
complex threat identification, detection

Why Is SIEM Important?

SIEM combines two functions: security information management and security
event management. This combination provides real-time security monitoring,
allowing teams to track and analyze events and maintain security data logs for
auditing and compliance purposes.

SIEM offers a well-rounded security solution to help organizations identify

potential and real security vulnerabilities and threats before they disrupt
operations or cause lasting damage to their business reputation. SIEM makes
behavioral anomalies visible to security teams, enhancing the monitoring
process with AI to automate incident detection and response processes. It has
replaced many manual tasks, becoming a ubiquitous tool for any security
operation center (SOC).

MODULE-3: Threat Intelligence Strategy and Capabilities

 Key elements of cyber threat intelligence,
 Cyber Threats and Advanced Persistent Threats (APT),
 Indicators of Compromise (IOCs),
 Cyber threat intelligence framework,
 cyber kill chain and the pyramid of pain,
 Role of Threat Analyst in Threat Intelligence Life cycle.

Introduction
An Indicator of Compromise (IoC) is a piece of information that indicates a potential
security breach or cyberattack. Cybersecurity professionals use it to identify and
respond to threats effectively. An IoC can be a file, IP address, domain name,
registry key, or any other evidence of malicious activity. Cybersecurity professionals
use IoCs to track down attackers, understand their methods, and prevent future
attacks.

In today’s digital age, the growing threat of cybercrime has put organizations of all
sizes and sectors on high alert. One of the most significant challenges enterprises
face is detecting and responding to security incidents, including data breaches and
system compromises before they can cause considerable damage. This is where
IoCs come into play.

IOC vs. IOA

Before we dive deeper into IOCs, it’s essential to understand the difference between
IOCs and IOAs (Indicators of Attack). IOCs are used to identify when an attacker has
already compromised a system. On the other hand, IOAs are used to detect when an
attacker is attempting to gain access to a system.

IOCs are typically used to detect and respond to specific security threats, while IOAs
are used to detect and respond to a wide range of security threats. IOCs are
generally more straightforward than IOAs and provide more detailed information
about a potential security threat.

What are the common indicators of compromise (IOC)?

Security personnel can often find indications that an attack is happening or has
happened if they are looking in the right places for unusual behaviour. Artificial
intelligence can help tremendously with this effort. Some commons IOCs include:

 Unusual privileged user account activity: Attackers often try to gain higher
account privileges or move from a compromised account to another account
that has higher privileges.
 Login anomalies: After-hours logins that attempt to access unauthorized files,
logins in quick succession to the same account from different IPs around the
world, and failed logins from user accounts that do not exist are all good
indicators that something is amiss.
 Increases in database read volume: Seeing a large increase in database read
volume could indicate that someone is extracting an unusually large amount
of data, such as all of the credit card numbers in a database.
 Unusual domain name system (DNS) requests: large spikes in DNS requests
from a specific host and patterns of DNS requests to external hosts are both
red flags because they could mean someone from outside the organization is
sending command and control traffic.
 Large numbers of requests for the same file: A large part of cybercriminal
activity involves repeated attacks, which can indicate that someone is
searching for a vulnerability. Seeing 500 requests for the same file could
indicate that someone is trying different ways to find a weakness.
 Unexplained configuration or system file changes: While it is difficult to find a
credit card harvesting tool, it is easier to find system file changes that happen
from the tool being installed.

Types of Indicators of Compromise (IoCs)

Different types of Indicators of Compromise (IoCs) are used in cybersecurity.
Some of these include:

File-based Indicators – These are associated with a specific file, such as a

hash or file name.
Network-Based Indicators – Indicators associated with a network, such as an IP
address or domain name.
Behavioral Indicators – These are indicators that are associated with the
behavior of a system or network, such as unusual network traffic or unusual
system activity. There are many Behavioral Indicators that MITRE Engenuity
ATT&CK maps.
Artifact-Based Indicators – These are indicators associated with the artifacts left
behind by an attacker, such as a registry key or a configuration file

Why Are Indicators of Compromise (IoCs) Important?

Indicators of Compromise (IoCs) are essential because they help security
teams detect and prevent cyber threats. IoCs can identify and mitigate cyber
attacks, such as malware infections, phishing attacks, and other cyber threats.
As a result, organizations can protect their systems and data from
cybercriminals by detecting and mitigating these threats.
IoCs play a crucial role in identifying and mitigating potential threats to an
organization’s security. By leveraging IoCs, organizations can:

Detect security incidents quickly – IoCs can help organizations identify security
incidents and take action to prevent or mitigate potential damage.
Monitor for future threats – By monitoring for known IoCs, organizations can
detect potential threats and take proactive measures to prevent them.
Improve incident response – IoCs can help organizations develop more
effective incident response plans by providing early warning signs of malicious
activities.
Share threat intelligence – IoCs can be shared between organizations, enabling
them to collaborate and pool resources to identify and mitigate potential threats
more effectively.

Types of Indicators of Compromise

There are several types of IoCs, each with unique characteristics and uses.
These include:

1. Network IoCs
Network IoCs are indicators that suggest suspicious activity on a network.
These can include unusual traffic patterns, connections to known malicious IP
addresses or domains, and unexpected protocols or ports being used. Network
IoCs can be detected through various network monitoring tools, including
Intrusion Detection Systems (IDS) and Security Information and Event
Management (SIEM) systems.

2. Host-Based IoCs
Host-based IoCs are indicators that suggest suspicious activity on a specific
computer or system. These can include unusual file activity, suspicious
processes or services running, and unexpected changes to system
configuration settings. Host-based IoCs can be detected through various
endpoint security solutions, including Endpoint Detection and Response (EDR)
or XDR (Extended Detection and Response) tools.

3. File-Based IoCs
File-based IoCs are indicators that suggest the presence of malicious files or
malware on a system. These can include things like file hashes, filenames, and
file paths. File-based IoCs can be detected through various file-scanning tools,
including EDR software and Sandboxing tools.

4. Behavioral IoCs
Behavioral IoCs are indicators that suggest suspicious user activity on a
network or system. These can include multiple failed login attempts, unusual
login times, and unauthorized access to sensitive data. Behavioral IoCs can be
detected through user monitoring tools, including User and Entity Behavior
Analytics (UEBA) solutions. SentinelOne XDR uses a combination of behavioral
IoCs, advanced analytics, machine learning, and behavioral analysis to detect
and respond to threats in real time.

Examples of Indicators of Compromise

1. Unusual Outbound Network Traffic
Anomalies in network traffic patterns and volumes are the most common signs
of a security breach. Keeping intruders out of your network is becoming
increasingly difficult. Monitoring outgoing traffic for potential Indicators of
Compromise can be helpful. When an intruder attempts to extract data from
your network or an infected system relays information to a command-and-
control server, unusual outbound network traffic may be detected.

2. Geographic Abnormalities
Another common type of indicator of compromise is geographic abnormalities.
If an unusual amount of traffic comes from a particular country or region, it may
be a sign that the system has been compromised. If your business is based in
Los Angeles, seeing a user connecting to your network from another country
with a bad reputation for international cybercrime is a cause for concern.
Monitoring IP addresses on the network and their location can detect cyber
attacks before they can damage your organization. Multiple connections to your
accounts from unexpected locations could be a good indicator of compromise.

3. Unexplained Activity by Privileged User Accounts

In complex cyberattacks, such as advanced persistent threats, attackers often
compromise low-privileged user accounts before escalating their privileges and
authorizations. Security operators must watch for suspicious behavior from
privileged user accounts, as this may be evidence of internal or external attacks
on the organization’s systems.
4. Abnormal Account Behaviors
Anomalies in account behaviors aref, such as changes to login times, unusual
access to files or databases, and failed login attempts, can indicate a data
breach. Security personnel must monitor these behaviors to detect and prevent
a potential security breach.

5. Abnormal File Modifications

Unexpected changes to system files or unauthorized software installation can
signify a data breach. An attacker may use these modifications to gain control
over the system or exfiltrate sensitive data. Trained personnel must keep track
of these modifications and take action immediately if detected.

6. Communication With Known Malicious IPs

Attackers often use known malicious IPs to control the infected system or
exfiltrate sensitive data. Security professionals must monitor communication
with these IPs to detect and prevent a potential data breach.

7. Unauthorized Network Scans

Unauthorized network scans can signal a reconnaissance attack, where
attackers try to gain information about the target network using open-source or
propriety scanning tools.

8. Suspicious Files or Processes

Malware is often disguised as legitimate software, meaning malicious files and
processes can be hidden in plain sight on your network. If you notice a
suspicious file or process you do not recognize on your system, this could be a
sign of an attack. It’s essential to investigate these files and processes
thoroughly to determine their legitimacy.

9. Unusual System Behavior

Unusual System Behavior, such as unexpected restarts, crashes, or slow
performance, can also be a sign of an IoC. Attackers may use denial-of-service
attacks or resource exhaustion attacks to disrupt or bring down systems. If you
notice any unexpected behavior from your systems, it’s essential to investigate
and determine if there is a security threat.

10. Phishing Emails

Phishing emails are a common way for attackers to access sensitive
information or install malware on a victim’s system. These emails can be
challenging to spot, as they often appear to be legitimate communications from
trusted sources. However, if you notice any suspicious emails, such as
requests for login credentials or links to unfamiliar websites, it’s important to be
cautious and investigate further.

11. Social Engineering Attempts

Social engineering attacks are another common tactic attackers use to access
sensitive information. These attacks involve manipulating individuals to reveal
sensitive information or perform actions that are not in their best interest. For
example, an attacker may pose as a trusted source, such as a vendor or
employee, to access sensitive data or install malware. It is essential to educate
employees on the dangers of social engineering attacks and how to identify and
avoid them.

12. Web Traffic Levels

Another common type of indicator of compromise is web traffic levels. If there is
an unusual spike in web traffic to a particular website or IP address, it may be a
sign that the system has been compromised. In addition, you should pay
attention to unusual inbound and outbound network traffic, Domain Name
Servers (DNS) requests and registry configurations, and an uptick in incorrect
log-ins or access requests that may indicate brute force attacks.

13. DDoS Indicators

DDoS indicators detect and respond to distributed denial of service (DDoS)
attacks. If an unusual amount of traffic comes from a particular IP address or
range of IP addresses, it may be a sign that the system is under attack.