Top 10 Indicators of Compromise That Companies Need To Look Out For
Data Loss Prevention

Top 10 Indicators of Compromise That Companies Need To Look Out For

Information security professionals use the term “indicators of compromise” to describe any observable activity that may suggest a computer system has been compromised. Indicators of compromise can be used to help quickly determine when an attack has occurred and identify the perpetrators. These indicators can also be used to help determine the extent and severity of an attack and aid in an incident’s forensic analysis. 

There are many different types of indicators of compromise, most of which can be categorized as email-based, host-based, or network-based. 

Email-Based Indicators 

Email-based indicators of compromise are red flags that go off in your email inbox that may suggest that your computer has been infected with malware. These indicators can be anything from an unexpected increase in the amount of spam you’re receiving to emails with strange file attachments. If you see any of these signs, it’s important to take action immediately to protect your computer from further infection. 

Host-Based Indicators 

Security professionals can use host-based indicators of compromise to determine whether a system has been compromised and, if so, the scope of the compromise. Host-based indicators can include file signatures, registry keys, process IDs, network connections, and other system data. Security analysts use various methods to collect indicators of compromise from hosts, including manual analysis and automated scanning.

Network-Based Indicators

Network-based indicators of compromise are any data or activity on a network that could indicate that the network has been compromised. They can include things like abnormal traffic patterns, sudden changes in user behavior, or malware infections. Network-based indicators of compromise are important because they can provide evidence of an attack even if there is no malware on the victim’s computer. This makes them useful for detecting attacks that use sophisticated techniques like spear phishing or watering hole attacks.

Why Your Organization Should Monitor for Indicators of Compromise

One of the most important things a company can do to protect itself from cybercrime is monitor for compromise indicators. By staying on the lookout for these indicators, companies can detect breaches early and minimize the damage. 

The cost of a data breach can be high. For example, in the United States, the average cost of a data breach is over $9 million. This includes the cost of investigating the breach, notifying customers, and repairing damage to the company’s reputation. 

What Can We Learn from Monitoring Indicators of Compromise?

Careful monitoring for indicators of compromise is essential for protecting an organization’s networks and data. There are many different types of indicators of compromise that can be monitored, including system files, network traffic, user behavior, and malware. Each of these indicators can provide valuable information about the health of an organization’s cybersecurity posture.

By tracking indicators of compromise, organizations can quickly identify when something is amiss and take steps to mitigate the threat. In addition, by detecting and responding to threats early, organizations can minimize the damage that a data breach could cause.

How to Recognize 10 Common Indicators of Compromise 

There are many indicators of compromise to look out for, but they all have the same goal: to warn you that your system has been compromised. The sooner you can identify a compromise, the less damage the attacker will be able to do. 

Here are just a few examples of what to look for:

Anomalous Outbound Traffic on the Network

One common indicator of a compromised system is outbound traffic that is not typically seen on the system. This could include traffic to unfamiliar or suspicious IP addresses,  traffic to known malicious websites or even sudden spikes and dips in network traffic.

Unusual User Account Activity

Unusual user account activity can include unexpected logins,  failed login attempts, or changes to user permissions.

Access Attempts from Outside Geographical Area

Repeated login attempts from an unfamiliar city or country can be a warning sign that a breach is being attempted. 

Migration and Aggregation of Files

Unexplained migration and aggregation of files is a warning sign. Once a compromise has occurred, hackers will often begin collecting the data they wish to download and moving it to a quiet corner of your network so they can make just one large transfer. 

Influx of spam emails

Another sign that an attack may be underway is when users receive strange or unexpected emails with attachments or links.

Unusual Application Activity

One of the most common warning signs is strange or unexpected application behavior. This could include programs that start automatically, install new software without your permission, or exhibit unusual activity.

DDoS Attack

A DDoS attack occurs when an attacker floods your system with traffic, overwhelming your bandwidth and preventing legitimate traffic from getting through. You can usually tell if you’re under a DDoS attack because your website will be slow or inaccessible, and you’ll see an increase in error messages and failed requests.

Unusual Traffic Between Ports

 Another common sign of a hack is strange or unexpected traffic between ports on your computer. For example, if you normally use port 80 for web traffic but suddenly see activity on port 443, this could be a sign that someone is trying to access your system using HTTPS instead of HTTP.

Unauthorized Changes to the Registry or System Files

You should also be looking for changes to your system files or registry. For example, if a hacker gains access to your computer, they may edit the registry to change your default homepage or add new entries that allow them backdoor access. Similarly, if they manage to delete or alter important system files, this can be another sign that something is wrong.

Unexpected Requests for Increased Access Privileges

Further investigation is recommended if you note an unexplained increase in user access privilege requests. These requests may be coming from unauthorized users attempting to infiltrate your networks. 

What can Help you Monitor for Indicators of Compromise (IoCs)?

You have a number of options when it comes to monitoring for indicators of compromise (IoCs). Training employees and investing in comprehensive monitoring tools is a great place to start. 

Raising Employee Awareness

Training employees on indicators of compromise is critical in defending your organization against cyberattacks.Don’t forget: your end users (employees) are your first line of defense against cyberattacks. They are often the ones who first notice something is wrong with the network or an email they received. Therefore, it is important to train employees to recognize indicators of compromise so they can report them quickly. 


A variety of tools can be used to help monitor for indicators of compromise. One such tool is UEBA, or User and Entity Behavior Analytics. Teramind’s UEBA software uses artificial intelligence and machine learning algorithms to detect malicious or unauthorized activity. In addition, it can identify anomalous behavior, such as an employee accessing files they normally wouldn’t or logging in from an unusual location. 

Many organizations use UEBA endpoint monitoring tools to detect indicators of compromise on their systems. These tools collect data from devices on the network to establish a behavioral baseline then monitor and analyze user activity for signs of unusual or abnormal activity. Teramind’s DLP toolset provides a comprehensive solution that monitors user activity, tracks file transfers, and notifies you when indicators of compromise such as careless security practices are detected. 

Indicators of Compromise vs. Indicators of Attack: What’s the Difference?

There are many indicators of compromise and indicators of attack. However, the difference between these two types of indicators can be blurry. 

An Indicator of Compromise is an unexpected activity that may indicate that a system has been compromised. For example, a change in normal user behavior or an unexpected increase in traffic might be signs of a compromise.

An Indicator of Attack, on the other hand, is something that indicates that an attack is underway. For example, malware signature detection or abnormal activity on the network could be signs of an attack.

It can be difficult to determine whether a particular event indicates a compromise or an active attack. Sometimes, it’s unclear which category an event falls into until further analysis has been performed. That’s why businesses need to monitor for both. 

The Best Tool to Monitor Indicators of Compromise

When it comes to preventing data breaches, early detection is key. Organizations need to be able to monitor their systems for indicators of compromise so they can react before sensitive data is compromised. There are a number of different tools that can help organizations do this, but not all of them are created equal.

Teramind offers a comprehensive solution that monitors for multiple indicators of compromise. So whether you need to monitor for anomalous user behavior or scan for potential insider threats, their endpoint monitoring tools give you the best protection available.


An organization’s IT infrastructure is constantly under attack from various sources. While some attacks are easily recognized, others can be more subtle and go undetected for long periods of time. Therefore, in order to maintain the security of an organization’s systems and data, it is important to be aware of the various indicators of compromise that could indicate a breach has occurred.

Investing in best-in-class tools like Teramind’s DLP and UEBA solutions empowers you to rapidly detect, diagnose, and repair breaches before data is lost or stolen.

Detect vulnerabilities to your data through endpoint monitoring

Start a free trial and harden your defensive posture