Indicators of compromise – wasting resources, revealing too much or following false flags?

No ratings

Presented at BSidesZurich 2016 by

Candid Wüest

Sharing indicators of compromise (IOC) is commonly used to fight against APTs; however, irrespective of how fast they are obtained or how many are available they are steadily losing their value. Advanced attackers have long ago changed their methods and tactics – where necessary. They are using unique C&C servers and freshly compiled malware for each target which renders the sharing of most IOCs useless; with very little effort on behalf of the attacker. On the other hand, sharing such IOCs publicly can reveal the researchers knowledge about the attack to everyone. Attackers can learn if their campaign have been uncovered and sometimes even how they can improve their broken attack code. Should we not publish data at all then? Furthermore, how can you be sure that the attackers did not deliberately plant a le which would lead you to believe that the culprits were… (*rolling attribution dice*)… the Chinese? How can you be sure that you are not mixing IOCs from multiple attack groups which all have compromised your servers? This talk will try and explain where IOCs might still be useful and how they can be combined with other threat intelligence data to be more reliable. Supported by real world examples and statistics from our own analysis of current attacks we will illustrate various cases and discuss strange artifacts that we have seen.