Okay, to start off, if you haven’t seen Joe Slowik’s RSA 2022 presentation, you should stop now and go watch it. Joe does a great job of explaining and demonstrating why IOCs are truly composite objects, that there’s much more to an IP address than just it being…well…an IP address. When we start thinking in these terms, in terms of context, the IOCs we see and share can become much more actionable.
Why does any of this matter? Once, in a DFIR consulting firm far, far away, our team was working PCI forensics investigations, and Visa was sending us monthly lists of IOCs that we had search for during every case. We’d get three lists…one of file names, one of file paths, and one of hashes. There was no correlation between the various lists, nothing like, “…a file with this name and this hash existing in this folder…”. Not at all. Just three lists, without context. Not entirely helpful for us, and any hits we found could be similarly lacking in any meaning or context…”hey, yeah, we found that this folder existed on one system…”, but nothing beyond that was asked for, nor required. The point is that an IOC is often more than just what we see at face value…a file has a hash, a time frame that it existed on the system (or was seen on other systems), functionality associated with the file (if it’s an executable file), etc. Similarly, an IP address is more than just four dot-separated octets…there’s the time frame it was associated with an endpoint, the context with respect to how it was associated with the endpoint (was
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: