Feb 05, 2022 3 min read Threat Intelligence

IOCs aren't for blocking - they are for control validation

There is a misconception out there that security departments should be ingesting feeds of Indicators of Compromise (IOCs) and loading them into firewalls, endpoint software, and proxy configurations as soon as possible. This perception is amplified by product marketing focused on the task, and it's easy to get caught up in the idea that this is our mission.

By the time an IOC has been published in an intelligence report, there is a high likelihood it has been neutralized. Imagine a command & control URL koolkidz.club/evil.php serving a breaking 0-day vulnerability. You might read about it in the appendix of an intelligence write-up and consume it in an automated structured feed. But should you invest effort into automating the extraction of this data point and blocking it in your proxies, endpoints, DNS, decrypting firewalls, and more?

First, think about the research cycle that detected this IOC. Someone - at least a honeypot - got popped with this callback. For it to get into the IOC documentation pipeline, it means a security responder found it during incident response or analysis. What happened then? Did they just go to work on your pdf report and email all their customers the next morning? It's more likely that actual response was taken, the domain, infrastructure, or network/cloud provider notified, and the domain/URL taken down. Unless you are receiving an IOC in a highly-classified government briefing about an ongoing attack (not in your automated feed), you are eating up memory in your devices by pre-loading this ever-expanding list of almost-certainly-already-neutralized domains, IP addresses, hashes, URLs, and more. Maybe that's why your security tools aren't really in blocking mode, but "will be in just a few weeks once you work out those last performance issues". Sound familiar?

So what's the value of IOCs, then? It isn't in automated loading into blocking tools. Rather, the value is in evaluating the broad, long-lasting control settings you arrived at calmly and rationally. Would koolkidz.club resolve in your environment? If so, consider blocking the entire .club top level domain. Maybe it was registered last week. Consider blocking all domains registered in the past 30 days. Maybe it was well-seasoned (registered long ago but only activated recently) but is delivered via a phishing campaign. Consider blocking domains that come in via email but have never been previously queried in your environment. Focus on reactions that will block future related tradecraft. NOT the IOC in your hand. It's stale, and blocking it explicitly and moving on will only guarantee you've missed the opportunity to block tomorrow's variant. The best security researchers sharing threat intelligence in trust groups aren't just sharing atomic indicators, but accompanying them with YARA and similar logical models that regression test well to block the IOC, but are designed broadly to catch entire attack patterns. Those models were often built long before the IOC arrived.

So what about automating queries for previous lookups out of your environment? Now that's a different story. If you can tell that someone resolved koolkidz.club in your environment last week - before the intelligence report was created and disseminated - you are on to something. This behavior is not eating up memory across your estate and chewing up cycles waiting for history to repeat itself. It's far more efficient and sustainable to run single one-time historical queries on ingestion (and in passive tools that cannot impact business productivity) than to load up reactionary blocks.

Let's avoid letting external misconceptions about what security departments do all day become self-fulfilling. A focus on long-term healthy controls that will block tomorrow's attacks is far more vital than chewing up cycles blocking yesterday.