ELI5: What are Behavioral Indicators?
If your dog suddenly started meowing, you’d know something was very wrong. Behavioral indicators are when a computer starts acting strangely — like logging in at 3 AM from another country.
Definition
Behavioral indicators of compromise are anomalies in user or system behavior that suggest account compromise or insider threat activity. Unlike file-based or network IoCs, behavioral indicators focus on what a user or system is doing rather than what artifacts they leave. They are a key component of User and Entity Behavior Analytics (UEBA) and are particularly useful for detecting credential-based attacks where the attacker uses legitimate credentials.
Key Details
- Impossible travel: Login from New York at 8 AM and London at 9 AM—physically impossible without credential sharing.
- Unusual login times: An employee logging in at 3 AM when they normally work 9–5.
- Lateral movement patterns: A user account accessing systems it has never touched before.
- Data hoarding: Bulk downloading or copying files to external destinations—a pre-exfiltration indicator.
- SIEM/UEBA platforms establish behavioral baselines and alert when deviations exceed a threshold.
Connections
- Parent: indicators-of-compromise — a category of IoC based on behavior patterns
- See also: account-indicators