The speed, precision, timeliness, and relevance of Cyber Threat Intelligence (CTI) is crucial for protecting digital infrastructures and driving proactive responses against emerging cybersecurity threats. To me, CTI is an ART: it has to be Actionable, Reliable, and Timely.
One of the most critical components of CTI is indicators of compromise (IOCs). IOCs are crumbs of data or fingerprints (e.g., unusual IP addresses and web domains, unexpected network traffic, suspicious changes in file systems) left by adversaries in a previous cyberattack. This serves as invaluable clues to security professionals for detecting and tracing potential breaches or malicious activities in their own environments. Despite the on-paper benefits of IOCs, most cybersecurity professionals struggle to utilize them effectively.
Common Challenges Security Professionals Face with IOCs
Managing generic IOCs is challenging for both security professionals as well as Security Operations Centers (SOCs) due to several reasons:
- Too noisy: Keeping up with the high volume of IOCs is challenging when security teams are already inundated with too many alerts. Security tools also struggle to compare IOCs with internal traffic because the process is extremely resource-intensive.
- Limited Context: Far too many IOCs are shared with little or no contextual information, making it difficult for cybersecurity professionals to analyze their significance or prioritize them.
- Don’t address specific threats: Generic IOCs aren’t tailored around a specific industry or geography. As a result, security teams miss out on critical threats unique to an organization’s infrastructure, industry, business use case, or compliance requirements.
- Limited operational value: Most IOCs get detected and shared later in the attack lifecycle (i.e., command and control). Threat actors have already evolved their methods by the time the intel reaches security teams.
Why Custom IOCs Make More Sense Than Generic IOCs
Mostly derived from threat intelligence, incident response investigations, or security assessments, custom IOCs are specific to an organization’s risk posture. They are typically categorized into four main types:
- Network-based IOCs, such as unusual IP addresses or port scans;
- Host-based, including suspicious processes or file modifications;
- File-based, like malicious file hashes or unusual file paths; and
- Behavioral IOCs, which encompass abnormal user or system behavior.
Security platforms and security service providers are known to subscribe to generic IOCs from various threat intelligence sources. However, these IOCs deliver fairly limited operational value for the above reasons.
Instead, it would make a whole lot more sense if the security platform or the SOC allows security professionals to incorporate custom IOCs in their threat detection and hunting workflows. There are numerous benefits to this approach:
- Enhanced Threat Hunting
Custom IOCs are lower in volume, which means lower noise and false positives, better resource utilization, greater contextual awareness, and improved detection rates. By focusing on IOCs that matter most, security teams can significantly boost threat detection rates and lower threat response times.
- Targeted Threat Intelligence
Security teams can tailor their threat-hunting approaches around unique operational needs and emerging threats to ensure their threat intelligence is relevant, contextual, and timely. This enables them to adapt to emerging threats faster and identify potential risks that may not be covered by generic, out-of-the-box threat intelligence feeds.
- Boosted Supply Chain Security
By ingesting custom IOCs related to specific third parties, security teams can better manage vulnerabilities linked to external vendors, suppliers, and channel partners. Security teams can effectively monitor and identify the risks associated with the supply chain, thereby improving the overall security posture in the supply chain.
- Greater Alignment with Industry or Geographical Needs
Importing custom IOC lists (such as malicious IPs from a specific geography), other industry-specific feeds, and findings from internal investigations provide a more targeted solution for threats unique to an organization’s environment, geographical footprint, or threat landscape.
- Better Protection for Critical Infrastructure and Assets
As manufacturers and other critical infrastructure organizations embrace digitalization and adopt IoT and other smart technologies, they significantly expand their attack surface. Using custom IOCs, security teams can deploy targeted solutions to better detect and interpret signals or red flags in critical infrastructure assets or devices.
- Improved Adherence to Regulatory and Compliance Requirements
Custom IOCs provide a mechanism to address specific regulatory or compliance requirements. For example, custom IOCs that detect unauthorized logins or data exfiltration activities can help address threat detection requirements of frameworks such as PCI-DSS, GDPR, NIST, etc. This approach boosts security and provides improved analytics and reporting, enabling organizations to prove compliance during audits.
To conclude, attacker techniques, tactics, and procedures (TTPs) constantly evolve. Generic IOCs could be more seriously effective in mitigating organization-specific threats. The ability to internalize and operationalize customized threat intelligence as part of a holistic security system is no longer a luxury; it’s a necessity.