Cybersecurity: Indicators of Compromise

The U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) recently issued an advisory to financial institutions on cyber-events and cyber-enabled crime,1 along with frequently asked questions.2

FinCEN’s advisory encourages the preparation of suspicious activity reports (SARs) that evidence significant electronic activity and behavior, which prompts a timely review of challenges associated with three data points: Internet Protocol (IP) addresses (which serve as unique internet connection identifiers for online computers or servers), other online identifiers and Indicators of Compromise (IOCs).

IP Addresses

Various websites are publicly available for internet users to look up their own IP address—whether it is dynamic (changeable) or static (fixed)—and IP addresses of other internet users.3

Demand for IP addresses has skyrocketed, given surges in growth for social media and Internet of Things connectivity for handheld and other devices. This demand is being met by IP addresses that are longer and more complex, requiring greater attention to accuracy when they are reported in SARs. The more familiar IPv4 32-bit numeric IP address scheme is being replaced by a longer IPv6 128-bit alphanumeric IP address scheme.4

The IPv4 address scheme supports 4,294,967,296 unique addresses and it uses the format nnn.nnn.nnn.nnn (n = number) with periods between segments. In contrast, the emerging IPv6 address scheme supports 340,282,366,920,938,463,463,374,607,431,768,211,456 unique addresses and it uses the format cccc:cccc:cccc:cccc:cccc:cccc:cccc:cccc (c = character) with colons between segments, some of which are alphanumeric. Reportedly, up to 99 IP addresses in either format may be entered into FinCEN SAR form item 44.5

The accuracy of IP address geolocation tracking is relevant to a recent federal lawsuit. Plaintiffs allege that about 600 million IP addresses are mistakenly associated with their rural Kansas farm that is near the geographical center of the U.S. This mistake has led to plaintiffs alleging that they have been unfairly investigated for runaway children, attempted suicides, child pornography, and computer fraud and email spam.6 A federal judge recently denied the defendant’s motion to dismiss.7

This Kansas farm case was cited by the Electronic Frontier Foundation (EFF), when challenging reliance on IP addresses to identify the location of crimes and the identity of individuals involved. EFF recommendations to law enforcement and the courts encourage proper evaluation of IP address data and early corroboration.8

Fraudulent IP addresses have been central to the Methbot botnet that is associated with losses exceeding $180 million. Methbot uses U.S.- and Netherlands-hosted servers to power more than 850,000 bots with falsely registered IP addresses, which allowed cybercriminals to carry out the largest ad fraud scheme ever discovered. This scam reportedly yielded $3 to $5 million per day in fraudulent ad revenue by fraudulently obtaining IP addresses from overseas internet registries, and then registering them falsely to U.S. internet service providers. The IP addresses evaded fraud detection by appearing to originate from real users in the U.S.9

IP addresses are generally associated with a specific computer or server, but they may or may not be associated with an individual user, which could lead to data privacy concerns. Federal Trade Commission (FTC) officials regard the IP address as personally identifiable information that should be protected appropriately when it, or other persistent identifiers, may be linked to a particular individual, computer or device.10

FTC officials have cautioned website operators that collect persistent identifiers against making general statements that personal information is not being collected or that collected data is anonymous. Data protection measures and risk assessments should be appropriate to all collected data, not just data like the individual’s name or email address.11

The Court of Justice for the European Union (EU)12 recently ruled that a dynamic IP address may be classified as personal data when combined with identifiable data about the individual user.13 This is consistent with the EU General Data Protection Regulation (GDPR), which will apply to EU countries on May 25, 2018.

GDPR Recital 30 states that natural persons may be associated with online identifiers, such as IP addresses. Such online identifiers may leave traces which, when combined with unique identifiers and other information received by servers, may be used to create profiles of natural persons and identify them.14

Website operators and app providers that collect EU personal data—on local or cloud servers15—should check on how IP address collection might be affected by GDPR requirements. This could include stricter consent, retention and cross-border data transfer obligations, although exceptions may apply.16

Countries like Argentina,17 Canada,18 Hong Kong,19 Japan20 and Switzerland21 classify IP addresses as personal data when combined with identifiable data.

Brazil takes a notable approach with IP addresses. To facilitate the identification of users who have been engaged in criminal acts or personal data infringement, Brazil requires retention of user IP addresses in connection logs (which track the user’s internet connection) and application access logs (which track the user’s internet application use). Connection logs must be retained in a secure environment for one year and application access logs for six months. Police or administrative authorities may require longer log retention periods. Users must be informed about data protection and log retention practices.22

Since October 2012, the Federal Bureau of Investigation, the Department of Homeland Security and other federal government agencies have disclosed IP addresses associated with cyber threats through unclassified Joint Indicator Bulletins (JIBs). JIBs have referenced IP addresses and domain names associated with malicious cyber activity to mitigate cyber threats from botnets and Distributed Denial of Service (DDoS) attacks, and have been distributed to U.S. financial institutions and overseas partners through secure channels.23

Cybercriminals and terrorists may conceal their IP address locations or identities with The Onion Router (Tor), Virtual Private Network (VPN) or proxy tools that enable anonymous web surfing,24 especially with news of criminals getting caught after not using such anonymous web surfing tools.25 With TORWallet, IP addresses are deleted every 30 seconds to anonymize Bitcoin wallet activity.26

New provisions of Rule 41 of the Federal Rules of Criminal Procedure went into effect on December 1, 2016. The Electronic Frontier Foundation asserts in part that Rule 41’s new provisions will make it easier for law enforcement to obtain search warrants if a computer uses anonymity-protective software like Tor, a VPN or proxy tools, and urges additional safeguards.27

Online gambling websites, like 10Bet, may address anonymous web surfing directly in their terms and conditions and diverse policies related to privacy, cookies, fraud, anti-money laundering, and as needed notification to law enforcement and regulatory authorities,28 in part because website users may use such tools to bypass identity verification and geo restrictions.29

Financial crimes investigators may benefit from ExoneraTor, a Tor Project database that allows the public to check whether an IP address was a Tor network relay on a particular day.30

Detecting IP addresses that use VPN or proxy tools is not as easy, although media firms, like Netflix and Hulu, have been blocking users who use VPN or proxy tools to bypass geo restrictions.31 Moreover, Fortune reported how demand for VPNs has surged recently, given the U.S. Congress’ vote to repeal limits on how internet service providers can collect and sell customer data.32

FinCEN’s advisory provides examples of mandatory and voluntary SAR reporting, and encourages the filing of a single SAR to cover interrelated cyber-enabled crimes and cyber-events, like a DDoS cyber-event designed to conceal a cyber-enabled crime that meets the mandatory filing threshold. Basic details on spoofing attacks,33 for example, should illustrate how criminals launch complex DDoS cyber-events that impersonate users or devices by manipulating IP addresses and other online identifiers, and how financial crimes investigators might describe succinctly such complex cyber-events in SARs.

Other Online Identifiers

Like IP addresses, online identifiers provided by devices, applications, tools and protocols could be treated as personal data when combined with identifiable data. According to GDPR Recital 30, such online identifiers may include cookie identifiers and radio-frequency identification tags.34

Online identifiers could also include geolocation data, device identifiers like media access control (MAC) addresses, operating system and browser attributes, application data, website activity, and app usage data. Electronic signature authentication forms require detailed attention to device and other online identifiers, as demonstrated by DocuSign’s privacy policy.35

As financial services evolve toward greater online and mobile device accessibility, cybercriminals attempt to evade fraud detection by manipulating online identifiers.36

Money transfer firms, like PayPal, address device and other online identifiers directly in their EU website’s terms and conditions. Diverse policies related to privacy, cookies, fraud, anti-money laundering and as needed notification to law enforcement and regulatory authorities are addressed.37

Indicators of Compromise

For at least 10 years, IOCs have been used by computer security firms, like IBM, to refer to cyberattack forensic digital evidence. Such forensic digital evidence may report anomalies, such as IP addresses, domains, files and digital clues that appear to connect the cyber-attacked network with the alleged cyber-attacker,38 with endpoint management tools that may detect security incidents and remediate the environment.39

IOCs may capture unexpected network access details, based on IP addresses associated with certain geolocations.40 Cybersecurity firms, like Kaspersky Lab, may publicize IOCs, so that organizations might identify traces of financial cyberattack groups, like Metel, GCMAN and Carbanak 2.0, in their networks.41

In contrast, over the last few years, the term Indicators of Attack (IoAs) has been used by computer security firms, like IBM,42 Intel43 and CrowdStrike, to refer to forensic digital evidence that a cyberattack is occurring or will likely occur in the future, in conjunction with endpoint protection tools that may detect security incidents and remediate the environment.

To Crowdstrike, IOCs reference malware, signatures, exploits, vulnerabilities and IP addresses. IoAs reference code execution, persistence, stealth, command control and lateral movement.44

Crowdstrike’s presentation on IoAs echoes the Cyber Kill Chain® framework,45 which Lockheed Martin, the largest U.S. defense contractor, developed to identify and prevent cyber intrusion activity through seven steps: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and lateral movement.46

The importance of IOCs to the computer security industry is emphasized in a recent assessment about the drawbacks of portraying IoAs as better reporting tools for cyberattack detection and remediation.47 Commercial and not-for-profit organizations may reference IoAs more, as they weigh the Cyber Kill Chain® framework48 to deter cyberattacks, including those attributable to nation states.49

In conclusion, this timely review of challenges associated with IP addresses, other online identifiers and IOCs should enhance SAR preparation by raising relevant operational issues, such as IPv6 readiness, the proper evaluation and corroboration of IP address data, and the treatment of IP addresses and online identifiers as personal data.

Updates to website privacy notices and terms and conditions may also be timely, along with operationalizing stricter international data protection requirements like the EU’s GDPR.

Education may be directed at topics like how cybercriminals attempt to evade fraud detection by manipulating IP addresses and other online identifiers, along with how Tor, VPN and proxy tools have been used to bypass identity verification and geo restrictions. In addition to IOC data, consideration of IoA data may also enhance SAR preparation pursuant to FinCEN’s advisory.

Miguel Alcántar, CAMS-FCI, compliance advisor, Oakland, CA, USA,

For information on how you can identify where your organization is most vulnerable to a cyber-attack, please visit:

  1. “FIN-2016-A005 Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime,” United States Department of the Treasury - Financial Crimes Enforcement Network, October 25, 2016,
  2. “Frequently Asked Questions (FAQs),” United States Department of the Treasury - Financial Crimes Enforcement Network, October 25, 2016,
  4. John D. Schanz, “How IPv6 lays the foundation for a smarter network,” Network World, June 27, 2016,
  5. “FinCEN Suspicious Activity Report (FinCEN SAR) Electronic Filing Instructions,” Version 1.2, Financial Crimes Enforcement Network, October 2012,
  6. Complaint, James and Theresa Arnold vs. MaxMind, Inc., United States District Court for the District of Kansas, August 5, 2016,
  7. Memorandum and Order, James and Theresa Arnold vs. MaxMind, Inc., No. 16-1309-JTM, United States District Court for the District of Kansas, October 20, 2016,
  8. Aaron Mackey, Seth Schoen, Cindy Cohn, “Unreliable Informants: IP Addresses, Digital Tips and Police Raids,” Electronic Frontier Foundation, September 2016,
  9. “The Methbot Operation,” White Ops, December 20, 2016,
  10. “Protecting Consumer Privacy in the Digital Age: Reaffirming the Role of Consumer Control, Keynote Address of FTC Chairwoman Edith Ramirez Technology Policy Institute Aspen Forum,” Federal Trade Commission, August 22, 2016,
  11. Jessica Rich, “Keeping Up with the Online Advertising Industry,” Federal Trade Commission, April 21, 2016,
  12. Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom
  13. “Case C
    Patrick Breyer v Bundesrepublik Deutschland,” Judgment of the Court (Second Chamber), October 19, 2016,;jsession...qMbN4PahaLe0?doclang=EN&text=&pageIndex=0&docid=184668&cid=90876
  14. “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016,” Official Journal of the European Union, April 5, 2016,
  15. “Managing the Challenges of the Cloud Under the New EU General Data Protection Regulation,” Netskope, 2016,
  16. Alex van der Wolk, Hanno Timner, “European Court of Justice: IP Addresses Are Personal Information,” Westlaw Journal Computer & Internet, November 4, 2016,
  17. Maximiliano D’Auro, Florencia Rosati, Manuela Adrogué and Ambrosio Nougués, “Data protection in Argentina: Overview,” Practical Law, September 1, 2016,
  18. “What an IP Address Can Reveal About You,” Office of the Privacy Commission of Canada, May 2013,
  19. “Data Protection Principles in the Personal Data (Privacy) Ordinance – from the Privacy Commissioner’s perspective (2nd Edition),” Office of the Privacy Commissioner for Personal Data, Hong Kong, 2010,
  20. Mangyo Kinoshita, Shino Asayama, Eric Kosinski, “Data protection in Japan: overview,” Practical Law, November 1, 2014,
  21. Tom Espiner, “Swiss fileshare software broke DP law, says court,” ZDNet, September 10, 2010,
  22. Raphael de Cunto, Julia Arruda, “A civil rights framework for the internet in Brazil,” Financier Worldwide, July 2014,
  23. “Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government under the Cybersecurity Information Sharing Act of 2015,” The Office of the Director of National Intelligence, The Department of Homeland Security, The Department of Defense, The Department of Justice, February 16, 2016,
  24. Mark Wilson, “The best free tools for anonymous browsing 2016,” Techradar, October 11, 2016,
  25. Catalin Cimpanu, “Crook Who Used His Home IP Address for Banking Fraud Gets 5 Years in Prison,” Bleeping Computer, December 21, 2016,
  26. “Anonymous Bitcoin Wallet,” TORWallet,
  27. Jamie Williams, “Expanded Government Hacking Powers Need Accompanying Safeguards,” Electronic Frontier Foundation, December 14, 2016,
  28. “Terms and Conditions,” 10Bet, December 15, 2016,
  29. “The prevention of money laundering and combating the financing of terrorism - Guidance for remote and non-remote casinos,” Gambling Commission, July 2016,
  30. ExoneraTor,
  31. Chris Hoffman, “How to Watch Netflix, Hulu, and More Through a VPN Without Being Blocked,” How-To Geek, January 20, 2016,
  32. “Congress Voted to Roll Back Internet Privacy Rules. Now People Are Looking to VPNs,” Fortune, March 28, 2017,
  33. Neil DuPaul, “Spoofing Attack: IP, DNS & ARP,” Veracode,
  34. “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016,” Official Journal of the European Union, April 5, 2016,
  35. “Privacy Policy,” DocuSign, December 15, 2016,
  36. “Mobile Fraud Gone in a (Device) Flash,” DataVisor, July 5, 2016,
  37. “Privacy Policy for PayPal Services,” PayPal, January 27, 2017,
  38. “Indicators of compromise,” IBM, 2015,
  39. “How BigFix Helps Investigate a Threat in Forensic Activities,” IBM,
  40. Jason Andress, “Working with Indicators of Compromise,” ISSA Journal, May 2015,
  41. “APT-style bank robberies increase with Metel, GCMAN and Carbanak 2.0 attacks,” Kaspersky Lab, February 8, 2016,
  42. IBM BigFix Detect, IBM,
  43. “Indicators of Attack (IoA),” Intel,
  44. Jessica DeCianno, “Indicators of Attack versus Indicators of Compromise,” CrowdStrike, December 9, 2014,
  45. “Cyber Kill Chain®,” Lockheed Martin,
  46. Lysa Myers, “Cyber Kill Chain is a Great Idea, But is It Something Your Company Can Implement?,” Infosec Institute, May 31, 2013,
  47. Dave Dittrich, Katherine Carpenter, “Misunderstanding Indicators of Compromise,” Threatpost Op-Ed, April 21, 2016,
  48. Lysa Myers, “The practicality of the Cyber Kill Chain approach to security,” CSO, October 4, 2016,
  49. Dave Dittrich, Katherine Carpenter, “Misuse of Language: ‘Cyber’; When War is Not a War, and a Weapon is Not a Weapon,” Threatpost Op-Ed, August 9, 2016,

Leave a Reply