2.2 Indicators of malicious activity
📘CompTIA Security+ SY0-701
Introduction
In cybersecurity, indicators of malicious activity are warning signs that something suspicious or harmful might be happening in your system or network. These indicators help security professionals identify, investigate, and respond to potential attacks before major damage occurs.
This section focuses on common behavioral and technical signs that could indicate unauthorized activity or compromise in an organization’s environment.
1. Account Lockout
Definition:
An account lockout occurs when a user’s account becomes temporarily or permanently locked after multiple failed login attempts.
Why it happens:
Most systems use account lockout policies to prevent attackers from guessing passwords repeatedly (brute-force attacks).
However, frequent or unexpected account lockouts can also indicate malicious activity.
Possible causes:
- Password attack: An attacker is trying to guess a password by attempting multiple logins.
- Malware or scripts: A malicious script is repeatedly trying to log in using stolen credentials.
- Misconfiguration: A system or service is using outdated credentials.
- Compromised system: Someone gained access to one device and is using it to attempt logins to others.
Security implication:
Repeated account lockouts, especially across several users or systems, are a strong indicator of a brute-force or credential-stuffing attack.
Administrators should investigate the source IP address, time of attempts, and frequency to determine if the activity is legitimate or malicious.
2. Concurrent Sessions
Definition:
A concurrent session happens when the same user account is logged in from multiple devices or locations at the same time.
Why it matters:
In most environments, users are expected to have only one active session at a time (for example, one login from their workstation).
If multiple sessions exist from different IP addresses or countries, it can indicate credential compromise.
Possible causes:
- Credential theft: Attackers are using stolen usernames and passwords.
- Session hijacking: Attackers intercepted and reused a valid session token.
- Shared credentials: Employees are sharing accounts, which is against security best practices.
Security implication:
Concurrent sessions from unusual or geographically distant locations suggest that an attacker may be actively using a stolen account.
Security teams should review login timestamps, session tokens, and geographic data to confirm unauthorized access.
3. Blocked Content
Definition:
Blocked content refers to files, websites, emails, or applications that a security system (such as a firewall, proxy server, or email filter) has prevented users from accessing.
Why it matters:
Blocked content often indicates that the system is actively defending against potentially dangerous or policy-violating activity.
Possible causes:
- Malicious website or phishing link: Security tools block access to prevent infection.
- Policy violation: A user is trying to access unauthorized sites (e.g., file-sharing or gaming sites).
- Malware communication: A system may be trying to contact a command-and-control (C2) server but is blocked by a firewall.
Security implication:
Frequent blocking of certain URLs, ports, or files can be a sign of infection or insider threat activity.
Administrators should analyze blocked requests to identify whether users or systems are being targeted by phishing, malware, or data exfiltration attempts.
4. Impossible Travel
Definition:
Impossible travel occurs when a user logs in from two different geographic locations within a short period of time — a distance that’s impossible to travel physically.
Example in IT terms:
If a user logs in from New York and, 10 minutes later, there’s another login using the same account from London, the system detects this as impossible travel.
Why it matters:
This is a strong indicator of credential compromise. Attackers may have obtained the user’s password and are accessing systems remotely.
Possible causes:
- Stolen credentials used by an attacker.
- VPN or proxy usage (sometimes false positives).
- Compromised accounts used by attackers from different countries.
Security implication:
Impossible travel detections help identify account takeovers.
Organizations can use security analytics tools or identity management systems (like Microsoft Entra ID / Azure AD) to automatically flag such behavior for investigation.
5. Resource Issues
Definition:
Resource issues occur when a system experiences unusual or excessive use of its resources, such as CPU, memory, bandwidth, or disk space.
Why it matters:
These issues can indicate the presence of malware, cryptomining, or denial-of-service (DoS) attacks.
Possible causes:
- Malware infection: Consuming CPU to encrypt data (ransomware) or mine cryptocurrency.
- Botnet participation: A system is part of a network performing attacks.
- Data exfiltration: Large or unexpected network traffic spikes.
- Misconfiguration: Poorly configured services consuming unnecessary resources.
Security implication:
Unusual resource consumption is a key sign of malicious or unauthorized activity.
Monitoring tools (like SIEM, SNMP, or performance monitors) help detect such anomalies and trace them to their source.
6. Missing Logs
Definition:
Missing logs mean that security or system event records are not available when they should be.
Why it matters:
Logs are vital for detecting and investigating security incidents.
If logs are deleted, disabled, or missing, it often suggests an attempt to hide malicious activity.
Possible causes:
- Log tampering: Attackers delete logs to cover their tracks.
- System misconfiguration: Logging was never enabled or set up incorrectly.
- Log overflow: System storage is full, causing logs to be overwritten.
- Insider threat: A user intentionally disables logging.
Security implication:
Missing logs can make incident response and forensic investigation extremely difficult.
Security professionals should implement centralized logging and backups to prevent attackers from wiping records locally.
Summary Table
| Indicator | Description | Possible Cause | Security Concern |
|---|---|---|---|
| Account Lockout | Account locked due to multiple failed login attempts | Brute-force, wrong credentials | Brute-force or credential-stuffing attack |
| Concurrent Sessions | Same user logged in from multiple locations | Credential theft or sharing | Compromised account |
| Blocked Content | Access to content denied by security systems | Malware or policy violation | Attempted infection or data exfiltration |
| Impossible Travel | Logins from geographically impossible locations | Stolen credentials | Account takeover |
| Resource Issues | Unusual CPU, memory, or network usage | Malware or DoS attack | System compromise |
| Missing Logs | Logs deleted or unavailable | Tampering or misconfiguration | Covering up malicious activity |
Key Takeaways for the Exam
- These indicators help detect early warning signs of an attack.
- Understand what each indicator means, why it happens, and what it could imply.
- Be able to differentiate between normal activity and suspicious behavior.
- Know how security tools (SIEM, IDS/IPS, firewalls, log analyzers) help identify these indicators.
