Behavioral Indicators of Compromise
Recognition of anomalous behavior indicating potential security compromise including account lockouts, concurrent sessions, blocked content, impossible travel, resource consumption issues, missing logs, and out-of-cycle logging.
Understanding Behavioral Indicators of Compromise
Behavioral indicators of compromise (IOCs) are anomalies in system, user, or network behavior that suggest a security incident. Unlike signature-based detection that looks for known malicious content, behavioral analysis detects abnormal activity patterns.
Key behavioral indicator categories: • Account anomalies — Lockouts, concurrent sessions • Access anomalies — Blocked content, impossible travel • Resource anomalies — Consumption spikes, performance issues • Logging anomalies — Missing logs, unusual patterns
Behavioral detection catches attacks that evade signature-based tools by identifying suspicious activity patterns.
Why This Matters for the Exam
Behavioral IOCs are heavily tested on SY0-701 as they represent modern detection techniques. Questions describe scenarios with behavioral anomalies and ask you to interpret them.
Understanding behavioral indicators helps with security monitoring, SIEM rule creation, and incident investigation. These indicators often reveal compromises that evade traditional security tools.
The exam tests recognition of specific anomaly types and understanding of what each indicates about potential attacks.
Deep Dive
Account Lockouts
Unexpected or unusual account lockout events.
Lockout Indicators:
| Pattern | Possible Cause |
|---|---|
| Single user, sudden lockout | Brute force attack on that account |
| Multiple lockouts, same time | Password spraying or compromised credentials |
| Lockouts during off-hours | Automated attack or malware |
| Service account lockouts | Misconfiguration or attack |
| Repeated lockouts after unlock | Persistent attack or malware |
Lockout Investigation:
- •Check source IP of failed attempts
- •Review timing pattern
- •Look for related lockouts
- •Check for malware on user's workstation
- •Verify no password synchronization issues
When Lockouts Are Normal:
- •User forgot password
- •Password recently changed
- •Old sessions with cached credentials
- •Mobile devices with outdated passwords
Concurrent Session Logins
Same account logged in from multiple locations simultaneously.
Concurrent Session Indicators:
| Pattern | Concern Level |
|---|---|
| Same user, different IPs | High - potential compromise |
| Same user, same office | Low - normal multi-device |
| Admin account concurrent | High - investigate immediately |
| Service account concurrent | May be normal - verify design |
Suspicious Concurrent Patterns:
- •Different geographic locations
- •Different device types simultaneously
- •Sessions from known bad IPs
- •Activity in both sessions simultaneously
Response:
- •Terminate suspicious session
- •Force password reset
- •Investigate both sessions
- •Check for credential theft
Blocked Content
Security controls blocking access to malicious or inappropriate content.
Blocked Content Indicators:
| Block Type | What It Indicates |
|---|---|
| Malware downloads | Infection attempt |
| C2 communication | Active malware trying to call home |
| Phishing sites | User clicked phishing link |
| Data exfiltration | Malware or insider threat |
| Prohibited categories | Policy violation |
Investigation Priority:
- •C2 blocks = High priority (active compromise)
- •Malware blocks = Medium (attempted infection)
- •Phishing blocks = User awareness opportunity
Blocked Content Response:
- •Identify user and workstation
- •Scan system for infection
- •Review browser history
- •Provide user training if phishing
- •Escalate if C2 communication detected
Impossible Travel
User activity from geographic locations that are physically impossible to travel between in the time elapsed.
Impossible Travel Examples:
- •Login from New York at 10:00 AM
- •Login from London at 10:15 AM
- •(Physically impossible in 15 minutes)
Impossible Travel Indicators:
- •Logins from different countries within minutes
- •Access from locations never visited
- •Pattern inconsistent with user's role
- •Multiple impossible travels (systematic)
Considerations:
- •VPN usage may cause false positives
- •User traveling with location changes
- •Proxy or anonymizer usage
- •Actual credential compromise
Investigation:
- •Contact user to verify activity
- •Check for VPN or proxy usage
- •Review access patterns
- •Compare to known travel schedule
- •Force authentication if suspicious
Resource Consumption
Abnormal use of system resources.
Resource Anomalies:
| Resource | Abnormal Pattern | Possible Cause |
|---|---|---|
| CPU | Sustained 100% usage | Cryptomining, malware |
| Memory | Sudden spike | Memory leak, malware |
| Disk I/O | Constant writes | Encryption, exfiltration |
| Network | High outbound traffic | Data exfiltration, DDoS participant |
| Process count | Many new processes | Malware, fork bomb |
Resource Indicator Examples:
- •Server CPU at 100% during non-business hours = cryptominer
- •Massive outbound data transfer = exfiltration
- •Disk activity without user action = encryption or malware
- •GPU usage on non-graphics workstation = cryptomining
Response:
- •Identify consuming process
- •Check process legitimacy
- •Isolate if malicious
- •Preserve forensic evidence
Logging Anomalies
Suspicious patterns in system and security logs.
Missing Logs:
- •Gap in log timestamps
- •Audit logs cleared
- •Specific events missing
- •Log file deletion
Why Logs Are Missing:
- •Attacker covered tracks
- •Storage failure
- •Logging misconfiguration
- •Log tampering
Missing Log Indicators:
- •Timestamp gaps
- •Log file modification times changed
- •Audit trail shows log access
- •Expected events not recorded
Out-of-Cycle Logging:
- •Log entries at unusual times
- •Batch processing logs at wrong time
- •Automated task logs offset
- •Entries from decommissioned systems
Published/Documented Indicators:
- •Events matching threat intelligence
- •Known malware signatures in logs
- •IP addresses from threat feeds
- •URLs matching known bad lists
How CompTIA Tests This
Example Analysis
Scenario: SIEM alerts show user "jsmith" authenticated successfully from Chicago at 2:00 PM and from Moscow at 2:08 PM. Both sessions are currently active with normal activity patterns. The user is a sales representative who typically works from the Chicago office.
Analysis - Impossible Travel Indicator:
Indicators Present: • Two geographic locations (Chicago, Moscow) • Time difference: 8 minutes • Physical travel impossible in timeframe • Both sessions active • Unusual location (Moscow) for this user
Most Likely Scenarios:
1. Credential Compromise (Most Likely): • Credentials stolen via phishing or breach • Attacker using from remote location • Legitimate user still active
2. VPN/Proxy False Positive (Check First): • User connected to VPN endpoint in Moscow • Exit IP appears as Moscow location • Actually still in Chicago
Investigation Steps: 1. Contact user to verify activity 2. Check if user uses VPN with Moscow exit 3. Review Moscow session activity details 4. Check authentication method (MFA bypassed?) 5. Examine device/browser fingerprints
If Confirmed Compromise: 1. Terminate Moscow session immediately 2. Force global password reset 3. Revoke all active sessions 4. Enable MFA if not present 5. Scan user's workstation for malware 6. Review Moscow session actions 7. Check for data access or changes
Key insight: Impossible travel is a strong indicator of credential theft. Always verify with user before assuming false positive.
Key Terms to Know
Common Mistakes to Avoid
Exam Tips
Memory Trick
"ACBIRL" - Behavioral IOC Categories
- •Account lockouts (authentication attacks)
- •Concurrent sessions (credential sharing/theft)
- •Blocked content (malware/C2/exfil attempts)
- •Impossible travel (credential compromise)
- •Resource issues (malware activity)
- •Logging anomalies (cover-up attempts)
Impossible Travel Logic: "If human can't fly there that fast..." Chicago → Moscow in 8 minutes = IMPOSSIBLE = Credentials likely stolen
Resource Indicators Memory: High CPU + GPU = Cryptomining High Disk I/O = Crypto-ransomware or exfil High Network = Exfiltration or DDoS
Log Anomaly Significance: Missing logs = "Covering tracks" No logs = No alibi = Suspicious!
- •Investigation Priority: "C-MIP"
- •C2 blocks (urgent - active compromise)
- •Missing logs (high - evidence tampering)
- •Impossible travel (high - credential theft)
- •Policy blocks (low - user training need)
Test Your Knowledge
Q1.A user's account shows successful logins from New York at 9:00 AM and Tokyo at 9:20 AM on the same day. What behavioral indicator is this?
Q2.Security logs show a gap of 2 hours during which no events were recorded, though the system was operational. What does this indicate?
Q3.A workstation shows sustained 100% CPU usage and high GPU activity, but the user reports no heavy applications running. What should be investigated?
Want more practice with instant AI feedback?
Practice with AIContinue Learning
Ready to test your knowledge?
Practice questions on behavioral indicators of compromise and other Objective 2.4 concepts.