What are common email indicators of compromise (IOCs)?
Sender’s email address, subject line, malicious attachments and links, X-forwarding IP address, X-originating IP address.
Why monitor X-forwarding IP addresses in emails?
They reveal the proxy address used to send the email, offering insight into attack infrastructure.
Why monitor X-originating IP addresses in emails?
They identify the original IP address of the sender, useful for tracing attackers.
What are common network indicators of compromise (IOCs)?
URLs, domain names, IP addresses, user-agent strings.
Why are URLs useful as network IOCs?
They are often unique paths used by threat actors for command and control or malware delivery.
Why monitor domain names in network traffic?
They can be used for malware delivery and data exfiltration.
Why are IP addresses considered short-lived IOCs?
Threat actors frequently change servers or use legitimate cloud IPs.
What are common host-based indicators of compromise (IOCs)?
Filenames, file hashes, registry keys, DLLs, mutexes.
Why are registry keys important host-based IOCs?
Malware modifies registry settings for persistence.
How are DLLs used by threat actors?
They replace system files to ensure malware execution during startup.
What is a mutex and why is it used in malware?
A program object used to ensure only one instance of malware infects a host.
-
Intelligence lifecycle8
-
Intelligence sources12
-
Cyber Models21
-
Intelligence-led testing16
-
DNS12
-
Intelligence Types6
-
Data Collection8
-
Requirements analysis14
-
Charts11
-
MoSCoW7
-
Reliability of sources15
-
Technical Intelligence11
-
Bias Forecasting25
-
Time Series Graph21
-
Data Analysis21
-
Threat Modelling15
-
Behavioral analysis12
-
TLP6
-
Laws and Acts8
-
CREST Code of Conduct and the responsibilities8
-
Intelligence Community ethics7
-
Protocols14
-
CAPEC10
-
Intelligence reporting and Dissemination7
-
Machine Learning6
-
Analysis and Reporting models37
-
OSI model14
-
ISO8
-
Encryption2
