Traditional IOCs Suck

Traditional IOCs are lame.

Don’t waste your time on traditional Indicators Of Compromise (IOCs) – IPs, domains, URLs, hashes, filenames, etc.. Seriously, buy a vendor product and/or feed that gives you this capability. The payback of traditional IOCs catching commodity malware is low. The payback when it comes to detecting advanced and/or targeted threats with traditional IOCs is zero.

Why zero? Any attacker of intermediate (or higher) skill who is targeting you will vary their signatures (hashes, IPs, filenames, etc.) across attacks against your company. They will certainly vary from target to target.

Why do attackers vary signatures? Simple, they don’t want their entire infrastructure and payload(s) to get burned when victim X finds it and reports it (ex. through vendor “intel” feeds). If they are using a single C2 server (for example) against multiple victims, their chances of losing ALL access increases with every new target/victim.

Your time is better spent hardening your endpoints and network to the fullest extent possible and building in-house TTP-based detections. An attacker will not be able to predict exactly what your custom TTP-based detections are looking for, but they can trivially determine if traditional “IOC” based detections will catch them (attackers check malware repos and intel feeds too!).

There has been much talk about MITRE, which identifies common TTP-based detections and mitigations. Check out the project for more information: https://attack.mitre.org/

Are traditional IOCs completely worthless? No. But, you should be spending close to zero manhours dealing with them. Rely on your vendor products and their feeds to block and/or alert on the dumb attackers. Spend your time, money and energy on things vendors will be unable to provide, due to the diversity of their clients’ networks.

Featured image courtesy of Geralt: https://pixabay.com