Chapter 54 Β· Glossary

Indicators of Compromise β€” Glossary

Key terms for detection, analysis, and incident response.

Indicator of Compromise (IoC)
Observable evidence β€” a system event, network artifact, or behavioral pattern β€” that provides high-confidence indication that a security breach has occurred or is in progress. Unlike a general anomaly, an IoC is specific enough to conclude that an attacker likely has access to the system. The defining characteristic is confidence: an IoC isn't "something looks odd" β€” it's "something has happened." Examples include changed file hash values, impossible travel events, and organizational data appearing online. IoCs drive incident response: detection triggers investigation, investigation triggers containment.
Account Lockout (as IoC)
An authentication control that disables an account after a configured number of consecutive failed login attempts. As an IoC, an account lockout the user did not cause is evidence of an active unauthorized access attempt against that account. Two forms exist: threshold-based lockout (automatic, triggered by N failed attempts β€” indicates brute force) and administrative disablement (manual, by someone with management access β€” indicates insider threat or compromised admin). The more dangerous scenario is lockout used as phase one of a social engineering chain: lock the account β†’ call help desk impersonating the user β†’ get the password reset.
Impossible Travel
An authentication IoC that occurs when the same user account logs in from two geographically distant locations within a timeframe that cannot be explained by any available mode of transportation. Detected by comparing consecutive login source geolocations against the time delta between them and computing implied travel velocity. If velocity exceeds commercial aviation speeds (~900 km/h), one of the sessions is unauthorized. Example: login from Omaha at 09:14, login from Melbourne at 09:17. The 14,000 km gap in 3 minutes is physically impossible. SIEM systems and identity providers implement impossible travel detection as a built-in rule.
Concurrent Session Usage
Simultaneous active authenticated sessions on the same account from multiple distinct locations or devices. A potential IoC when the combination of session origins cannot be explained by the user's known devices or work patterns. Detection is more nuanced than impossible travel because legitimate concurrent sessions exist: a user may have active sessions on a work laptop, personal phone, and home desktop simultaneously. The IoC threshold is crossed when concurrent sessions originate from locations that cannot both represent the same user's devices β€” particularly for privileged administrative accounts where session patterns should be tightly controlled.
Blocked Content (as IoC)
A persistence mechanism used by attackers after gaining access: the compromised system is modified to block connections to security resources, preventing the victim from patching the exploited vulnerability or updating detection signatures. Blocked content categories include auto-update endpoints (Windows Update, macOS Software Update), antivirus vendor update servers, anti-malware tool download sites, and security patch repositories. Detection: a system that can access general internet resources but consistently fails to reach its antivirus update server or operating system update endpoint has almost certainly been tampered with to prevent security remediation.
Resource Consumption (as IoC)
Measurable increases in system or network resource utilization caused by attacker activity. The most significant form is unexplained bandwidth spikes β€” particularly during off-hours β€” caused by data exfiltration. Other forms include elevated CPU (cryptomining malware or active exploitation tools), excessive disk read activity (data staging before exfiltration), and unusual memory consumption (fileless malware). Firewall logs capturing outbound flows provide the first actionable evidence: source/destination IPs, port, protocol, data volume, and timestamp. A key detection principle: the resource spike is often the first visible IoC even when the compromise began weeks or months earlier.
Resource Inaccessibility (as IoC)
The unavailability of systems, services, or data as a direct consequence of attacker activity. Takes four forms: server crash (vulnerability exploitation attempt caused an unhandled exception); network disruption (bandwidth saturation from data transfer, or deliberate distraction); file encryption (ransomware payload has activated); account lockout cascade (active brute force or password spraying campaign in progress). The distraction pattern is particularly important: a deliberate network disruption in one area is used to focus incident response attention away from the actual compromise occurring elsewhere in the environment.
Out-of-Cycle Logging
Log entries that appear at times inconsistent with normal operational schedules. In a well-managed environment, administrative activities follow predictable patterns: patches deploy on maintenance windows, accounts are created during business hours, backups run overnight on schedule. Log entries for these activities appearing outside their expected windows indicate unauthorized administrative action β€” an attacker operating with system privileges on their own timeline. The most diagnostic form is a patch installation log entry on a non-maintenance day: attackers sometimes patch the vulnerability they used for entry to prevent competing attackers or security tools from using the same path.
Missing Logs
The absence of log entries that should exist for a given time period or activity. Because log files are forensic evidence of attacker actions, attackers routinely delete or alter logs during cleanup to hide their presence. A gap in authentication logs, firewall logs, or file access logs during a window of suspected activity is itself a high-confidence IoC β€” not "no evidence of compromise" but "evidence that someone removed the evidence." Defense: forward logs in real time to a write-protected remote log management system (SIEM) that the compromised host cannot access. Configure alerts to fire when log volume drops below expected thresholds.
Double Extortion Ransomware
A ransomware strategy that combines two separate threats: encrypting the victim's files (operational disruption) AND exfiltrating a copy before encryption (data exposure threat). The attacker demands payment for the decryption key AND threatens to publicly release the stolen data if payment is not made. This creates a two-layer coercion: even organizations with good backups face the second threat. Published data is always an IoC, even when it arrives as external notification β€” the exfiltration event occurred before the data appeared online, often weeks or months earlier, during a phase of the attack that generated no detected IoCs at the time.
SIEM (Security Information and Event Management)
An enterprise security platform that aggregates log data from across the environment (firewalls, endpoints, identity providers, servers, applications) into a central repository, applies correlation rules, and generates alerts. The primary automated detection system for IoCs at scale. Core functions: log ingestion and normalization, real-time rule-based alerting (impossible travel, off-hours activity, volume thresholds), historical correlation (linking events across time), and forensic search. Without a SIEM, manual detection of IoCs across the full log volume of an enterprise environment is not operationally feasible.
Data Exfiltration
The unauthorized transfer of data from a compromised system or network to an attacker-controlled destination. A primary goal of most breaches. Exfiltration often produces the first detectable IoC: an unexpected bandwidth spike, firewall logs showing an outbound transfer to an unknown external IP, or DNS queries to domains not seen before. Exfiltration may occur gradually over time (slow-and-low transfer to avoid volume thresholds) or in a rapid bulk transfer before triggering incident response. Detecting exfiltration requires network flow monitoring, DLP (Data Loss Prevention) tools, and firewall log analysis that compares outbound traffic against expected baselines.