Chapter 54 Β· Concepts

Indicators of Compromise β€” Concepts Map

Quick-reference tables and category breakdowns for all nine IoC types.

IoC Quick Reference β€” All Nine Categories

IoC Category What You Observe What It Indicates Primary Defense/Detection
Account Lockout User account locked β€” user didn't cause it Brute force attempt; or social engineering setup (lock β†’ call helpdesk β†’ reset) Strong identity verification for password resets; lockout threshold alerts
Impossible Travel Same account logs in from two distant locations within minutes Credential compromise β€” attacker using stolen credentials from remote location SIEM / IdP impossible travel rule; automated session termination; MFA
Concurrent Sessions Same account active simultaneously from locations that can't both be the user Credential sharing or theft; session hijacking Session inventory correlation against known device list; privileged account monitoring
Blocked Content System cannot reach update servers or antivirus vendors Attacker maintaining persistence by preventing patches and signature updates Monitor update connectivity; alert on update failures; EDR health monitoring
Resource Consumption Unexpected bandwidth spike, elevated CPU/disk at off-hours Active data exfiltration; cryptomining; malware operating in background Network flow monitoring; bandwidth threshold alerts; firewall log analysis
Resource Inaccessibility Server crash, encrypted files, network disruption, mass account lockouts Ransomware execution; exploit-caused crash; attack distraction technique Availability monitoring; ransomware honeypot files; incident response playbooks
Out-of-Cycle Logging Administrative activity (patches, account changes) at unexpected times Attacker with admin privileges operating on their own schedule SIEM temporal anomaly rules; baseline expected activity windows; change control alerts
Missing Logs Gaps in log files where entries should exist Attacker deleted logs to hide their actions; log volume alerts Remote log forwarding to write-protected SIEM; volume drop alerts
Published Data Organizational data appears online; external breach notification Exfiltration completed; possible double extortion ransomware Dark web monitoring; threat intelligence feeds; Have I Been Pwned

Impossible Travel β€” Detection Logic

The impossible travel detection algorithm operates against the authentication log for each user account:

Step Operation Example (Omaha β†’ Melbourne)
1. Geolocate IPs Map each login's source IP to a physical location using geolocation database Login A: 41.25Β°N, 95.93Β°W (Omaha, NE, USA) Β· Login B: 37.81Β°S, 144.96Β°E (Melbourne, AU)
2. Calculate Distance Compute great-circle distance between the two coordinates β‰ˆ 14,100 km
3. Calculate Time Delta Subtract timestamp of Login A from timestamp of Login B 3 minutes = 0.05 hours
4. Compute Velocity Distance Γ· Time = implied travel speed 14,100 km Γ· 0.05 h = 282,000 km/h (β‰ˆ 83Γ— speed of sound)
5. Compare Threshold If velocity > commercial aviation maximum (~900 km/h) β†’ flag as impossible travel 282,000 km/h ≫ 900 km/h β†’ ALERT: Impossible Travel Detected

Account Lockout as Multi-Stage Attack

1
Trigger lockout deliberately β€” Attacker sends N+1 failed login attempts against the target account. Account auto-locks. No damage yet β€” this is setup.
2
Call the help desk β€” Attacker calls support, claims to be the locked-out user. "My account is locked and I'm late for a meeting. Can you reset my password quickly?"
3
Social engineer the reset β€” Attacker provides the user's name, employee ID, and answers basic identity questions (all scraped from LinkedIn or earlier recon). Help desk resets the password.
4
Log in with the new credential β€” Attacker authenticates with the reset password. Full account access obtained without ever cracking a hash or breaking a technical control.
Defense: Require out-of-band identity verification for all password resets: manager approval, callback to a previously registered phone number, or in-person ID check. Never reset based solely on information the caller provides over the phone.

Log Chain β€” What Attackers Delete and Where the Remote Copy Survives

Log Type Where Stored Locally What Attacker Deletes Remote Survivability
Authentication Logs Windows Event Log (Security); /var/log/auth.log (Linux) Event log cleared via wevtutil or direct file deletion Domain controller forwards to SIEM β€” local delete doesn't reach the remote copy
Firewall Logs Firewall internal storage (often syslog) Usually not accessible to the attacker (no shell access to firewall appliance) Firewall syslog to SIEM; attacker on a workstation cannot reach the firewall's log
File Access Logs Windows Audit Policy / SACL logs Security event log cleared (same as auth logs) SIEM ingestion of real-time event forwarding preserves audit trail
Web/DB Server Logs Application-specific log files in /var/log or IIS logs Direct file deletion or log rotation manipulation Syslog forwarding or log shipper (Filebeat/Splunk UF) to remote SIEM

IoC Detection by Tool Category

Tool Best For Weak Against
SIEM Cross-source correlation, out-of-cycle logging, volume anomalies, impossible travel, missing log alerts Slow-and-low attacks that stay below all thresholds; encrypted C2 traffic
EDR Blocked content (failed update connections), process anomalies, file hash changes, in-memory threats Network-layer activity; lateral movement using legitimate admin tools
Identity Provider (IdP) Impossible travel, concurrent sessions, account lockout patterns, MFA bypass attempts Lateral movement after initial login; on-network attacks that don't re-authenticate
Network Flow (NetFlow) Bandwidth spikes, exfiltration destinations, off-hours traffic, east-west lateral movement Encrypted content inspection; application-layer detail without decryption
Dark Web Monitoring Published data, credential dumps, stolen IP appearing for sale before public disclosure Active intrusions in progress; everything that hasn't yet been exfiltrated