Indicators of Compromise (IOCs) are Not Intelligence
July 06, 2017
When discussing the topic of cyber threat intelligence, I frequently hear questions about Indicators of Compromise (IOCs). IOCs are not intelligence but are important data points within the intelligence process. Meta-data is a better way to think about how to connect the dots between assets, threats, threat agents, counter-measures and other variables that factor into cyber threat intelligence. Context is king, especially within threat intel, accomplished in part through meta-data.
When initial comments and questions from an individual are about IOCs instead of something more granular and meaningful related to cyber threat intelligence, it reveals a state of readiness and maturity in the organization. I have pondered on this for some time, and have realized that it’s the most tangible thing that someone can relate to from their vantage point and experience. It’s not unlike work I did for U-2 spy plane ops, where if I spoke to someone about their mission and unique operating environment, it is largely foreign to them. IOCs are a fine starting point for opening a discussion but should quickly migrate towards understanding the process of cyber threat intelligence and meta-data.
IOCs are generally collected from a large number of public and private sources on a global scale. Today the threat environment involves multi-minor-wave-unique variants, one-time use command and control (C2) servers and a myriad of other challenging realities. We can collect, parse, populate and attempt to use billions of IOCs daily and never gain much ground on lower risk or increasing threat visibility. Furthermore, global IOCs are those that impacted everyone else, not your network, not your email, not your CEO.
Inverting the focus of IOCs collection to enriching and maturing an organization’s specific IOC data first is a key recommendation for anyone new to the world of cyber threat intelligence. Take your anti-virus logs, incidents, and similar threat events and incidents, and act upon those IOCs. For example, collect all the original IOCs for the incident (e.g. email attachment data, hash of an email attachment, etc.) and immediately populate them into your environment. Then, enrich and mature your understanding of that threat further by using anti-virus, sandbox, and similar solutions and/or your own lab qualified operations. By doing this you now have a more robust context related to that specific threat and incident, enabling you to take additional actions and countermeasures.
Once you have robust specific and relevant meta-data related to IOCs, threats and assets you’ll have a big data problem on your hands. So many tickets, so much information, so many threats…and you’ll be drowning in all of them, sometimes without enough resources to manage. This is where having highly skilled and experienced staff is amazing if you can manage to obtain and retain such individuals. Additionally, a focus upon your infrastructure for big data analytics, correlation and threat modeling is key to enabling whomever is doing the work to find the signal through the noise. If this is not a focus of your current operations, it should be in your immediate future based upon the massive scale of attacks—especially in the world of malware since 2006.
Other meta-data also exists for IOCs and intel such as including and mapping the following information back to IOCs:
- Date and time: Key to establishing attack timelines, possible timelines linked back to an intrusion, correlating malware samples based upon date and time and so on.
- Geolocation: This can be a major factor when looking to espionage cases and threat agent specific investigations.
- Categories: Unique categories of types and data such as an IP being DHCP assigned or DDNS related, etc. is also important.
When you combine meta-data with a specific and relevant enrichment plan, context is the result. In the traditional world of IOCs you’d get a list of more information—often without any meta-data. This results in common problems like blocking the IP 127.0.0.1 not realizing that the loopback address was in your blacklist by mistake from some other source of the billions of records scraped from the list.
We don’t need more information and more data, we need intelligence.
With context from meta-data linked back to an IOC, identifying and removing false positives is a reality instead of an operational nightmare or surprise. Context enables experts to better qualify and respond to a threat too, such as understanding that an IP in a blacklist that may have just triggered an alert is linked back to possible espionage-based actions. The more context we can create the more value we can drive in our threat research and response, recursively.