Ever fallen into the trap of the ‘streetlight effect’? Looking for the most obvious things, the factors based on known knowns, without looking past them into the darkness for the hidden or less obvious factors that someone is desperately hoping you won’t see.

Many organisations do exactly that when they analyse the indicators of compromise from a cyber security breach and take action based solely on them, rather than implementing and maintaining good security practices that prepare the organisation for anything, and could prevent or mitigate the impact of an attack in the first place.

That said, analysis of indicators of compromise does serve a purpose. Carrying out forensic analysis of any cyber security incident enables organisations to learn from the incident, and reduce the risk of it happening again.

What are indicators of compromise?

Simply put, indicators of compromise are evidence that a cyber attack took place. Indicators of compromise sit within an organisation’s network for example in system or network logs, and they may even provide information about the tactics, techniques, and procedures (TTPs) used in the attack, or who the perpetrators are.

Some of the most common forms of indicators of compromise include unusual inbound or outbound traffic, unknown files, applications, and processes in the system, anomalies in user account activity, frequent log-ins or log-outs from multiple accounts, increases in database read volumes, unusual DNS requests, unexpected changes to files or systems.

The benefits of analysing indicators of compromise

Monitoring networks for indicators of compromise gives the IT security team eyes on what is happening across the network, either in real time, or forensically. It adds another layer of security beyond firewalls and alerting systems, that could pay off for the organisation. If the network is being monitored in near real time, focussing on indicators of compromise may enable the IT security team to identify an attack close to as it is happening, and prevent it from getting worse.

Ongoing monitoring of indicators of compromise can also help organisations understand where there are weaknesses in their cyber security, especially if the same indicators of compromise are identified again and again. Using this information smartly will enable the organisation to strengthen their defences before an attack occurs.

Indicators of compromise can also contribute to the forensic analysis of a cyber incident. Analysis of the indicators of compromise can add to the overall picture of what happened, provide understanding of weak spots, and identify whether their current monitoring is focussing on the right areas of the network.

Indicators of compromise analysis can also provide actionable threat intelligence both about a particular malware’s behaviours and techniques, and in general, to improve the organisation’s incident response and remediation strategies.

The alternative: A comprehensive cyber security prevention strategy

To borrow yet another old saying, prevention is better than cure, and that is most definitely true when it comes to cyber security.

While analysing indicators of compromise after an attack is a good way to avoid being attacked again, a cyber security prevention strategy that implements and maintains good ongoing security practices will protect an organisation from cyber attack before it happens, saving them the time, money, and reputation points that any cyber attack costs.

Cyber attacks are expensive. The direct costs of a cyber incident include payments to external consultants to discover the extent of the damage, and to work on remediation efforts, costs of buying new, or upgrading software and systems, legal fees, insurance excesses, fines, compensation, and even PR costs.

In addition, there are indirect costs such as loss of revenue while systems are non-operational, or loss of customers who choose to take their business elsewhere due to a breach.

Forensic activity can cost an organisation thousands if not millions of pounds, days, weeks, or even months to get back to normal, and serious reputation points among customers and the market. Some businesses simply never recover from a cyber attack. Isn’t it worth spending the time and money to create a plan that will cost a fraction of that if it will save money in the long run, and possibly even save the business?

Elements of a cyber security prevention strategy

There isn’t a one-size-fits-all solution to an effective cyber security prevention strategy. Every organisation has their own unique circumstances which in turn leads to a unique set of threats and risks. The best cyber security prevention strategies take a layered approach to security, offering defense in depth to the organisation.

However every strategy should consider the following elements:

Risk identification and analysis

The starting point of any cyber security prevention strategy is an understanding of the threats that the organisation faces, and the implications for the organisation if these threats turned into an event. The resulting risk assessment will inform that activity undertaken by the organisation to manage those risks.

Infrastructure protection strategy

Protecting the organisation’s network and infrastructure is integral to a cyber security prevention strategy. Technical solutions such as firewalls, anti-virus programs, additional filters, threat management systems, and more will prevent many attacks from getting a foothold inside the network to launch an attack. Perimeter alerting systems will also give IT security teams early warning in case of a breach.

Internal IT security policies such as segregated networks by area of operation, installing patches in a timely manner, using up to date versions of software, and supported versions of hardware will also reduce the vulnerability of the organisation to attack.

Implement a security culture

Employees are still often the weakest link for any organisation, and social engineering tactics are still a successful entry point for many forms of cyber attack. Educating and supporting employees in the best cyber secure practices, and turning them into security champions will reduce the chance of a breach originating from an employee.

In addition, make sure that cyber security policies are relevant, up-to-date, and understood by all employees to help them safeguard the organisation. A Bring Your Own Device Policy for example sets out how employees should use their phones in the office, or a Password Policy helps them understand how to protect their data.

Backup and disaster recovery strategy

While not entirely about prevention, backup and disaster recovery strategies are also crucial for an effective, ongoing cyber security prevention strategy. Regular backups that are easily accessible in a cyber event, and a functionable, tested disaster recovery plan will enable the organisation to get back on their feet as soon as possible, and will save time, money, and reputation in the event that an attack penetrates other defences.

Stay safe

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
cookielawinfo-checkbox-advertisement	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Advertisement".
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
elementor	never	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_UA-176747747-1	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
CONSENT	16 years 5 months	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Indicators of Compromise Analysis is Good. A Cyber Security Prevention Strategy is Better

What are indicators of compromise?

The benefits of analysing indicators of compromise

The alternative: A comprehensive cyber security prevention strategy

Elements of a cyber security prevention strategy

Recent Posts

How to build a cybersecurity strategy for startups

ISO 27001 vs SOC 2 – Which is better for your organisation?

Encryption of data in use: A new standard in data protection

What is HIPAA Compliance for Startups?

Benefits of ISO 27001: Why you need a cybersecurity framework

Are you the weakest link? How to prevent software supply chain attacks

Services

Location & Contact Details

Stay Connected