Cisco Security Indicators of Compromise Reference Guide


Document Purpose
Document Scope
Indicators of Compromise (IOCs)
    Confidentiality IOCs
    Integrity IOCs
    Availability IOCs
Further Assistance




Document Purpose

This document provides standardized content that enumerates commonly observed indicators of compromise (IOCs) to help customers determine whether their device has been impacted by a disclosed vulnerability by comparing security advisory Impact Metrics to the Impact Metric Categories outlined below.

Document Scope

Confidentiality, Integrity, and Availability align with the impact metrics defined in the Base Metric Group of the Common Vulnerability Scoring System (CVSS). CVSS provides a way to capture the principal characteristics of a vulnerability and to produce a numerical score reflecting its severity. Cisco uses CVSS as part of its standard process of evaluating reported potential vulnerabilities in Cisco products. Cisco provides an evaluation of the CVSS Base vulnerability score in disclosed security advisories as documented in Cisco’s Security Vulnerability Policy.

Indicators of Compromise (IOCs)

Confidentiality IOCs

  • Changes in network traffic telemetry (known bad IPs/domains) – Changes in egress or ingress traffic patterns, in addition to changes to traffic sent or received from known malicious domains, may indicate attempted exfiltration of organizational data.
  • Unknown traffic originating from or terminating on the device (SSH, Telnet, HTTP/HTTPS, etc.) – Unusual traffic directed to or originating from host devices (e.g. telnet to a mail server on port 25) may indicate attempts to compromise the target platform.
  • Anomalous file transfers initiated from or received by the device (TFTP, FTP, SNMP, etc.) – Unusual file transfers sent to or received from hosts not normally associated with this type of activity (e.g. FTP to a SQL server) may indicate the exfiltration of organizational data.
  • Geographic-based anomalies (traffic/login activity, etc.) – Network traffic to or from countries that an organization doesn’t normally conduct business with should be investigated, in addition to attempted or successful login activity from unexpected geographic regions.
  • File system permissions changed – Changes in file system authorizations (e.g. changing a folder’s permissions from Administrator to Everyone) can be an indication of a malicious actor attempting to establish a foothold in the corporate computing environment.
  • Configuration changes – In routes, routing protocols, NAT, ACLs, SNMP, logging, syslog, VPNs, GRE tunneling, etc. may indicate attempts to exfiltrate data out of the corporate environment or to establish a permanent foothold in the corporate network.
  • Device account/password additions/deletions/changes – Can be an indicator of malicious attempts to establish and maintain persistent access to corporate computing assets.
  • Unexplained/unexpected changes initiated from privileged accounts – Unusual activity from privileged accounts, such as time of activity, systems accessed, data accessed or modified, or the amount of data accessed may be indicators of suspicious activity.

Integrity IOCs

  • Generation of core dumps and/or tracebacks – Frequent software crashes during normal device operation could indicate that system software has been replaced or tampered with.
  • Odd device/platform behavior – Behavior that deviates from expected normal operation, and that cannot be explained by software or hardware defects or by misconfiguration, might indicate that the device has been tampered with.
  • Anomalies in operating system or package hash values – Inconsistent hash values that deviate from expected values may indicate that system software has been tampered with or replaced to include malicious functionality.
  • Anomalies in operating system or package certificate signing characteristics – May indicate attempts to bypass code signing checks by installing additional certificates signed by unknown certificate authorities.
  • Unknown binaries installed – Binary files and any associated configuration files that are not components of the operating system may indicate that malware has been implanted on the device.
  • Unknown processes running – Processes running in memory, particularly those with unusual process attributes or with arbitrary process names, may indicate that malware has been implanted on the device.
  • Unexpected OS or ROMMON release versions installed – The presence of unexpected system software or bootstrap software versions could indicate that the images have been tampered with or replaced with malicious versions.
  • File system permissions changed – Changes in file system authorizations (e.g. changing a folder’s permissions from Administrator to Everyone) can be an indication of a malicious actor attempting to establish a foothold in the corporate computing environment.
  • Unexpected changes in boot sequence or boot variables – Alteration of system startup files could indicate an attempt to load software that has been tampered with or altered to include malicious functionality.
  • Configuration changes – In routes, routing protocols, NAT, ACLs, SNMP, logging, syslog, VPNs, GRE tunneling, etc. may indicate attempts to exfiltrate data out of the corporate environment or establish a permanent foothold in the corporate network.
  • Device account/password additions/deletions/changes – Can be an indicator of malicious attempts to establish and maintain persistent access to corporate computing assets.
  • Unexplained/unexpected changes initiated from privileged accounts – Unusual activity from privileged accounts, such as time of activity, systems accessed, data accessed or modified, or the amount of data accessed may be indicators of suspicious activity.

Availability IOCs

  • Frequent core dump and/or traceback generation – Frequent software crashes during normal device operation could indicate that system software has been replaced or tampered with and may affect the overall availability of the platform.
  • High CPU usage – Abnormally high CPU usage caused by a malicious actor may adversely affect normal device operation by causing CPU resource exhaustion.
  • Frequent rebooting – Altered device software or platform resource exhaustion may cause the device to reload frequently and thereby create a denial of service condition that prohibits normal device operation.
  • Saturated interface input/output buffers – High traffic volumes initiated by a malicious actor can negatively impact normal platform operation and may delay or prohibit authorized traffic from transiting the device.
  • Abnormally high malformed packet counts – High numbers of malformed packets destined to a device may indicate reconnaissance activity or an attempt to disrupt the normal operation of the platform.
  • Configuration changes – In routes, routing protocols, NAT, ACLs, SNMP, logging, syslog, VPNs, GRE tunneling, etc. may indicate attempts to exfiltrate data out of the corporate environment or to establish a permanent foothold in the corporate network and could affect device availability.
  • Unexplained/unexpected changes initiated from privileged accounts – Unusual activity from privileged accounts, such as time of activity, systems accessed, data accessed or modified, or the amount of data accessed, may be indicators of suspicious activity and could affect device availability.

Further Assistance

If you require technical assistance, or have questions regarding the possibility that a Cisco device may have been impacted by a specific vulnerability or security advisory, contact the Cisco Technical Assistance Center (TAC).

 


This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.

This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.


Back to Top