As a cybersecurity analyst, you should be knowledgeable in indicators of compromise. Unlike indicators of attack, indicators of compromise are trials of attacks that have occurred. Indicators of compromise helps you answer what has happened. Several key indicators of compromise examples are unusual outbound network traffic, suspicious privileged user account activities, large file requests and transfers, registry and system file changes, and suspicious DNS requests.
Cybersecurity analysts will need to know what active defense systems are already deployed to include honeypots and continuously check logs to see what has happened. Focus points should be on things like critical assets, isolated networks, and configuration. There are numerous systems that can be configured to alert you if there are users logging into systems at suspicious times of the day and when a user suddenly requests access to more data than usual. These anomalies are quickly detected and can be used as a flag to initiate a research.
There are several indicators of compromise, but they can be broken down into network based, host based, file based, and behavior based. One should use log aggregator tools and create alert scripts to monitor anomalies from a single point. Tools like crowd source, proofpoint, and sumo logic are great platforms that are available for detecting indicators of compromise and allows you to quickly respond and enforce security configurations.
HansITAcademy 