Skip to main content

Indicators of Compromise (IOCs) are Not Intelligence

July 06, 2017

When discussing the topic of cyber threat intelligence, I frequently hear questions about Indicators of Compromise (IOCs). IOCs are not intelligence but are important data points within the intelligence process. Meta-data is a better way to think about how to connect the dots between assets, threats, threat agents, counter-measures and other variables that factor into cyber threat intelligence. Context is king, especially within threat intel, accomplished in part through meta-data.

IOC Blog

When initial comments and questions from an individual are about IOCs instead of something more granular and meaningful related to cyber threat intelligence, it reveals a state of readiness and maturity in the organization. I have pondered on this for some time, and have realized that it’s the most tangible thing that someone can relate to from their vantage point and experience. It’s not unlike work I did for U-2 spy plane ops, where if I spoke to someone about their mission and unique operating environment, it is largely foreign to them. IOCs are a fine starting point for opening a discussion but should quickly migrate towards understanding the process of cyber threat intelligence and meta-data.

IOCs are generally collected from a large number of public and private sources on a global scale. Today the threat environment involves multi-minor-wave-unique variants, one-time use command and control (C2) servers and a myriad of other challenging realities. We can collect, parse, populate and attempt to use billions of IOCs daily and never gain much ground on lower risk or increasing threat visibility. Furthermore, global IOCs are those that impacted everyone else, not your network, not your email, not your CEO.  

Inverting the focus of IOCs collection to enriching and maturing an organization’s specific IOC data first is a key recommendation for anyone new to the world of cyber threat intelligence. Take your anti-virus logs, incidents, and similar threat events and incidents, and act upon those IOCs. For example, collect all the original IOCs for the incident (e.g. email attachment data, hash of an email attachment, etc.) and immediately populate them into your environment. Then, enrich and mature your understanding of that threat further by using anti-virus, sandbox, and similar solutions and/or your own lab qualified operations. By doing this you now have a more robust context related to that specific threat and incident, enabling you to take additional actions and countermeasures.

Once you have robust specific and relevant meta-data related to IOCs, threats and assets you’ll have a big data problem on your hands. So many tickets, so much information, so many threats…and you’ll be drowning in all of them, sometimes without enough resources to manage. This is where having highly skilled and experienced staff is amazing if you can manage to obtain and retain such individuals. Additionally, a focus upon your infrastructure for big data analytics, correlation and threat modeling is key to enabling whomever is doing the work to find the signal through the noise. If this is not a focus of your current operations, it should be in your immediate future based upon the massive scale of attacks—especially in the world of malware since 2006.

Other meta-data also exists for IOCs and intel such as including and mapping the following information back to IOCs:

  • Date and time: Key to establishing attack timelines, possible timelines linked back to an intrusion, correlating malware samples based upon date and time and so on.
  • Geolocation: This can be a major factor when looking to espionage cases and threat agent specific investigations.
  • Categories: Unique categories of types and data such as an IP being DHCP assigned or DDNS related, etc. is also important.

When you combine meta-data with a specific and relevant enrichment plan, context is the result. In the traditional world of IOCs you’d get a list of more information—often without any meta-data. This results in common problems like blocking the IP 127.0.0.1 not realizing that the loopback address was in your blacklist by mistake from some other source of the billions of records scraped from the list.  

We don’t need more information and more data, we need intelligence.  

With context from meta-data linked back to an IOC, identifying and removing false positives is a reality instead of an operational nightmare or surprise. Context enables experts to better qualify and respond to a threat too, such as understanding that an IP in a blacklist that may have just triggered an alert is linked back to possible espionage-based actions. The more context we can create the more value we can drive in our threat research and response, recursively.


    Ken Dunham

By: Ken Dunham

Senior Director, Technical Cyber Threat Intelligence

See More

Related Blogs

June 20, 2017

Cyber Threat Intelligence – Putting out Fires or Firefighting?

When it comes to fighting malware, combating nation-state threats, and securing digital assets, the information security industry has much to learn fr...

See Details

February 17, 2017

Actionability Doesn’t Mean I Have to do More Work!

“Actionability” is something we are starting to hear more and more from industry sales and marketing, but often doesn’t translate into reality for var...

See Details

January 12, 2017

Information vs. Cyber Threat Intelligence

Cyber threat intelligence should always enable decision making and action, but what good is a cyber threat intelligence program if you take no action ...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related Insights

July 29, 2016

2016 Cyber Threat Intelligence

Learn how Optiv’s cyber threat intelligence solution helps clients improve their threat response approach.

See Details

August 24, 2017

Enterprise Incident Management Brief

Learn how Optiv’s workshop helps security leaders evolve their technical incident response practices to broad scope enterprise incident management.

See Details

May 30, 2019

Risk Management and Transformation: Third-Party Risk Management

Learn how to plan, develop and manage your third-party risk program.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.