May People Be Considered as IOC?
Last Updated: 2019-07-24 06:26:23 UTC
by Xavier Mertens (Version: 1)
That’s a tricky question! May we manage a list of people like regular IOC’s? An IOC (Indicator of Compromise) is a piece of information, usually technical, that helps to detect malicious (or at least suspicious) activities. Classic types of IOC are IP addresses, domains, hashes, filenames, registry keys, processes, mutexes, …
There exists plenty of lists of usernames that must be controlled. Here is a short list or typical accounts used to perform (remote) administrative tasks or belong to default users:
root admin test guest info adm mysql user administrator oracle ftp pi puppet ansible ec2-user vagrant azureuser
If the activity of such kind of users must be logged and controlled (admin users, system accounts), let’s think about "real" people now. It could be very interesting to keep an eye on the activity of “high profiles” inside the organization like the board of directors (whose are always juicy targets). But, don’t forget the opposite with “low profiles”. Non-tech people who perform daily dangerous tasks. Can we consider them as “IOC”?
Let me tell you a story: A few years ago, when ransomware waves were not very popular, a customer faced a security incident and several Windows shares were encrypted after a user opened a malicious attachment. The person was not to blame: (s)he was responsible for the “email@example.com” mailbox. A daily task was to process all emails sent to this address. Chances to see the profile of this person compromized is much higher than a regular user. Can we track him/her as an IOC? What if suddenly we detect a lot of logon attempts with his/her credentials?
How will behave less security-aware people when they are facing a threat? The same applies to specific departments, like human resources, where one of the tasks is to open and read candidates' resume based on Office or PDF documents. May we assign a "score" to people? In many organizations, people can try to bypass security controls and behave in an unsafe way (I call them "mad-clickers"). More they appear in security reports, their score gets higher and could attract our attention.
Of course, all this process must be performed with respect of privacy. The goal is NOT to spy them!
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
Some people are either already hardened, or not-yet-hardened or "nonhardenable".
Last two categories of people could be interpreted as IOC, as more suspicious that others but not definitely bad.
Jul 24th 2019
3 years ago