Cybersecurity teams are consistently tasked to identify cybersecurity attacks, adversarial behavior, advanced persistent threats and the dreaded zero-day vulnerability. Through this endeavor, there is a common struggle for cybersecurity practitioners and operational teams to appropriately leverage indicators of compromise (IOCs) and indicators of attack (IOAs) for an effective monitoring, detection and response strategy.
Inexperienced security teams and leaders tend to establish a catch-all approach, where quantity outweighs quality to stop the next perceived intrusion attempt. Unfortunately, this strategy rarely provides an operational edge and greatly hinders operational readiness.
Obtaining a better understanding of indicators, their intent, and how to better leverage them within your environment is essential to driving good security practices and providing enablement, not hindrance, to your analysts. This article will highlight some key aspects concerning indicators of compromise, indicators of attack, and how to best leverage them together in order to support your organization.
IOCs Current Role and Pitfalls
How could having hundreds of thousands of IOCs hinder readiness, you may ask? An analyst’s role is to sift through the noise and identify adversarial behavior, however IOCs are point-in-time artifacts. They are constantly changing and reappearing in different ways across networks and rarely aligning to the event that caused these artifacts to become indicators in the first place.
IOCs are typically provided through feeds, which lack standardization for contextual information, age of the indicator, and sometimes completely lacking source data. This makes for an unclear indication that often causes confusion and a lack of understanding of the potential threat. Unclear indications can lead to a multitude of issues, which include high volumes of false-positive alerts that drive analyst fatigue or system resource issues due to lar ..
Support the originator by clicking the read the rest link below.
