Earlier this year I conducted a cyber threat intelligence industry survey asking security practitioners to rate the value of the 20 most common indicator types, as well as, the 35 most common supporting attributes. The survey was broadcasted to techie friends, colleagues, co-workers, several ‘fight club’ distros, and security students from nearly 10 years of collegiate teaching. After 3 months of collecting responses a total of 565 good Samaritans completed the survey and the results are fascinating!

In this talk I will present:

• the survey methodology
• the rating scales
• the results as several hypotheses are proven and disproven
• an analytical breakdown of the results by industry and participant role
• and finally, lessons learned

Additional information on the presentation:

IOCs will always be a key detection mechanism for obvious reasons, however, because certain IOCs can be easy for the adversary to replenish it forces defenders to look beyond the IOC to focus on the TTPs. But which IOC type and attribute (individually or combined) yield – the best detection rate, maximize adversary attribution, the best deployment capability, advance incident investigations the most, etc.? Survey participants were asked to score each indicator type based on each of the three following categories including Strength, Deployment Versatility, and Burnability.

Why IOC Types and Attributes? The reason is two-fold:

In 2014, I presented research comparing the published feeds of several top commercial threat intelligence providers and was amazed at how each provider leaned on various indicator types and indicator attributes completely different. If top-notch commercial vendors put their faith into various IOC types and attributes I was curious to know how the operators and security practitioners viewed them.

And secondly, because indicator types and attributes are the fundamental entry-point to an adversary’s tactics, techniques, and protocols (TTP) they offer a brief but critical vantage point to an adversary’s attack logic. As threat intelligence teams are finding their intelligence lifecycle cadence teams are looking beyond the granular indicators of compromise and studying the adversary’s methodologies and tools to help strengthen security initiatives, speed up investigations, empower analysts to make more informed decisions, and maximize budgetary investments.

I have managed several medium-to-large SOC teams with vastly different resources, budgets, and capabilities and as a result each team has prioritized indicator types and attributes completely differently. Less mature teams stick to fundamental IOC Types including IPv4, FQDN, URL, and MD5 hashes. Whereas, more mature teams cast their analytical net much further in all directions – trending attacker’s email address syntax, user-agents, import hashes, and even email message-IDs to help identify a potential indicator pivot point or attack pattern. This relatively philosophical fascination drove me to develop the industry survey to gather feedback on how analysts (across job disciplines) approach indicator types and respective TTP attributes.

See if the results align with your own viewpoints!