Connect with us

Hi, what are you looking for?


Incident Response

Do Indicators of Compromise Matter? The Devil is in the Details

Instead of Discounting Indicators of Compromise, it’s Time to Use Them More Effectively

Instead of Discounting Indicators of Compromise, it’s Time to Use Them More Effectively

The security industry has shifted from focusing on just signatures to include Indicators of Compromise (IoCs) as well. This is because in many ways IoCs are more portable, simplistic and compatible across many different detection platforms. However, during this shift IoCs have gotten a bum rap. It’s easy to see how this has happened – indicators can sometimes be just pieces of data without context. Security professionals are struggling to make sense of data, and wondering where to find real value as they strive to secure their environment.

What most security professionals really want are insights into the adversaries themselves – the tools as well as the tactics, techniques and procedures (TTPs) they’re using – to strengthen defenses and make life much more difficult for the bad guys. But this level of information often isn’t handed to you on a silver platter. As the saying goes, “the devil is in the details.” In this case, the details are the IoCs. Let me explain…

Many companies now find themselves with a fragmented security infrastructure, including 40+ security products each operating within its own silo. Because these products aren’t integrated, each layer in the architecture creates its own logs and events, generating a massive amount of data. System logs are rife with bad IP addresses and domain names that might reveal communication back to a command and control server, exfiltration of data or illegitimate services; hash values that can correspond to specific or malicious files; and network and endpoint artifacts pointing to an adversary. All of these indicators can reveal malicious behavior, but security analysts struggle to know what to look for and what to investigate first.

This is where the continued importance of IoCs is demonstrated. IoCs are the lowest common denominator of all these disparate logs and the way to actually tie things together and make sense of all the output from all your different security tools. They also allow you to build a bigger picture; you can pivot from an indicator to an adversary or campaign that provides more insight into what is truly happening in your environment.

For example, you see an IP address that you don’t recognize. You need more information about it, so you gather all of the related data you can across external threat intelligence sources. Through this analysis, you may discover that the IP address is tied to a particular campaign or adversary. So you decide to gather more intelligence about the campaign or adversary to understand the TTPs they may be employing and other related indicators. In this example let’s assume, for simplicity, that this particular adversary has 21 different indicators tied to it. You have already seen one, so it makes sense to look for the other 20 within your environment. Lo and behold, you find another 10 indicators. Chances are you have been compromised by this adversary. And now you have 10 other indicators that you can send proactively to harden your security infrastructure and protect against that adversary.

As you can see from this example, IoCs are vital for successful investigation and protection. But you need a repository to tie together the data that is generated from all your disparate internal systems with data from all of your external threat feeds and enrich it with context. Otherwise indicators remain noise – and that’s why they have a bum rap.

A threat intelligence platform (TIP) allows you to aggregate and normalize threat and event data and then correlate it and apply context. Now that you have IoCs that provide valuable insights, you can use them to pivot to TTPs and the adversaries themselves. With a broader view of related indicators that could signal adversary activity, you can gather more conclusive evidence that your organization has been compromised. And with a deeper understanding of the methods the adversary employs, you can stop malicious activity more quickly and prevent similar attacks in the future.

Advertisement. Scroll to continue reading.

There are very valid reasons for the shift from signatures alone to include IoCs. Unfortunately, in the process security teams have become inundated with data from their various security logs and multiple threat feeds, some from commercial sources, some open source, some industry and some from their existing security vendors. All of this data provide tremendous value, but it’s often untapped. Instead of discounting IoCs, it’s time to use them more effectively – and to the detriment of your adversaries.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.