Many threat intelligence companies are out there trying to sell you on the idea that they have the best threat intelligence indicators and will charge a fortune for them. In this KB, as a future analyst, I want to clarify that most indicators have a shelf life of four hours on average. That's right, and you can't find this number anywhere on the internet because it is buried under years of marketing material saying indicators are good for much longer time frames. It used to be common knowledge. Even AI will tell you:
This is not true. This is how to determine the shelflife of IOCs and this is why it's not true:
Let's start with IP addresses. Today, we use the cloud for most of our infrastructure, as do the bad guys. These bad guys spin up infrastructure, launch attacks, and destroy it, and by the time you're analyzing it in the SOC, it could belong to a completely different host. This window is even shorter than four hours for IP addresses in modern cybersecurity. It is very easy to change what is served at a particular IP address.
Next, let's talk about domain names. Phishing websites often use spoofed or fat-fingered domains, launch an attack via email, and wait a little bit for responses. When they have a few, they redirect the domain to the legitimate domain. This window is often around four hours, but you can never be sure because they change what is served on that domain name in near real-time today. If you see a command and control at a domain, many use dynamic DNS, so the domains also change rapidly.
File hashes are permanent. Once a file is hashed and on Virustotal, that exact file hash will live in infamy for the rest of the time, and you can verify its reputation. However, malware works in that attackers use slight variants of malicious files so that they have a completely different file hash. You can't say a file is suitable because it doesn't have a reputation on VirusTotal. You'll have to sandbox it yourself, and by the time those results are up, hackers will be using slight variants again with entirely different hashes. The AV game went to behavioral for this entire reason: how easy it was to bypass signature-based reputation checks. Changing a file to escape reputational checks or putting one file in another is very easy.
Email addresses aren't good IOCs. It is elementary to change the email address you're sending from as an attacker.
This AI stuff is such a mess. AI will believe any marketing material if you say it long enough. I want you to remember that even the best threat intelligence goes stale exceptionally quickly, and the best and most reliable threat intelligence will always come from internal to your network.
Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University and CISSP, CCSK, CFSR, CEH, Sec+, Net+, and A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, and ten online courses specifically for SOC analysts.
You can connect with him on LinkedIn.
You can sign up for a Lifetime Membership of Cyber NOW® with a special deal for 15% off with coupon code "KB15OFF" which includes all courses, certification, the cyber range, the hacking lab, webinars, the extensive knowledge base, forums, and spotlight eligibility, to name a few benefits.
Download the Azure Security Labs eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing.
Some of our free resources include the Forums, the Knowledge Base, our True Entry Level SOC Analyst Jobs, Job Hunting Application Tracker, Resume Template, and Weekly Networking Checklist. Ensure you create an account or enter your email to stay informed of our free giveaways and promos, which we often offer.
Check out my latest book, Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success, 2nd edition, published June 1st, 2024, and winner of the 2024 Cybersecurity Excellence Awards and a finalist in the Best Book Awards. If you enjoy audiobooks, I suggest the Audible version, but you can also get it in beautiful paperback, kindle, or PDF versions. The downloadable PDF version can be grabbed here.
Comentários