Skip to content

What are Indicators of Compromise?

What are Indicators of Compromise?

A lot has been written about the avoidance of cyber-attacks. Unfortunately, there is simply no way to make oneself attack-proof. Computers and their networks have so many potential attack vectors that there is no way to secure them all. Because of this, the only way to stay safe is through constant vigilance. That brings us to today’s subject. We are going to look at some of the most common indicators by which you might know that your system has been compromised.

1. Unknown Outbound Traffic

If you are serious about network security, you should already be using a network monitoring tool. Wireshark and Nmap are two of the most common, but there are many other options. Of course, you still need to have technicians that can interpret the data that they see.

When your network monitor detects a lot of outbound traffic (that is to say, data that is leaving the system), that can be a serious red flag. Cyber-attackers are usually looking to abscond with your data, and that means a lot of unexplained outbound traffic to unknown and suspicious servers.

2. Lots Of Failed Logins

To do their work, cyber-attackers have to get past various password lockouts. Unfortunately, there are many ways for them to do this. The simplest is a “brute force” approach, which uses a cracking program to decode a password gradually. The program does this by using every failed attempt to learn just a little bit more. After enough failed attempts, the entire password can be obtained.

The “Event Viewer” program (in Windows) is the easiest way to detect these failed logins. You need to act quickly because some hackers are able to wipe the logs, but they can only do so many things at once. Thus, with diligent monitoring, you can probably detect those excess failed logins.

3. Strange Activity On Privileged Accounts

When a hacker goes after your system, they aren’t looking to compromise the low-level users. To get the data they want, they must target the privileged accounts. This can include system administrators, network administrators, or any high-ranking person within your organization.

When your network monitor detects strange activity on these accounts, it can be a red flag. For instance, let’s say you know that administrator Joe works in accounting and goes to bed early. Thus, if you see his account logged in at 4 AM and accessing something outside his department, you might want to look into that.

4. Traffic Between Strange Locations

This is a very simple indicator of compromise, although it isn’t the surest in the world. Network monitoring tools allow you to see what each IP address on the network is doing, and your physical location is tied to your IP address. So, what does it mean if you see a whole lot of traffic from a remote country? Unless your organization does business in that area, it is another red flag.

Any good hacker will know how to disguise their IP address. Chances are, they will use a server that is far from their physical location. They are also more likely to choose servers from countries with weak cybersecurity laws. They are also likely to switch their dummy IP addresses frequently, which creates even more irregularities that you might detect.

5. Excessively Large Numbers Of HTTP File Requests

When a network is being attacked, the attacker will need to request access like any other user. However, they are trying to compromise this page, and that will probably require some trial and error. They will try many different tricks until they find one that works, but each attempt involved another HTTP file request. Thus, if you see many requests for the same file, and they’re all coming from strange IP addresses with no clear reason for the traffic, you can probably guess that it’s malicious.

6. Large Rise In Database Read Volume

When it comes to the most sensitive data, it tends to be secured in databases. These databases are normally protected by encryptions and other protective measures, but these can be circumvented. Since every cyber-attacker knows the above to be true, it is a safe bet that your database will be one of their primary targets.

Your IT professionals should always keep an eye on database read volume and should react to any unexpected spike. Obviously, this sort of thing isn’t always an indicator of compromise, but it’s another important early warning sign.

7. Unexplained Changes To The Registry

If you don’t know what your registry is, then you probably should. The registry is a set of files that keep track of various settings for both Windows itself and individual users. The purpose of the registry is to give the system a “baseline” of settings that can be considered as defaults. Thus, anything that is in the registry will be considered safe and normal by the computer itself.

When a hacker changes a setting (which they often do), it will probably produce a change in the registry. That change is likely to be logged and can be one of the surest indicators of compromise. Just make sure that normal users cannot change settings too much, or you could end up with a mess that is nearly impossible to read.

8. Updating Irregularities

Most software needs to be updated from time to time, and the same is true of the operating systems that run them. Because these updates require permissions, they can be hijacked and used as an attack vector. By spoofing their malware to look like an update prompt from a legitimate source, they can trick you into giving permission for the malware to install. The best way to counter this is to verify updates from the source before downloading.


Unfortunately, there is no way for us to cover all the potential indicators of compromise. That list would simply be far too long for anyone to read, but we hope we have given you a good grasp of the essentials. If you have enjoyed this article, and if you would like to read more of our work, please fill out the contact form.