In Defense of Threat Intel Feeds

Useless IOCsBeyond being just a great resource on where to gather your own open source intelligence, @da_667‘s recent post makes a great point at the end in defense of the so called “easy” indicators (e.g., hash values, IP addresses, and domain names) in the popular Pyramid of Pain model.

Many of us poo poo these indicators and the free and commercial feeds that deliver them as useless to us advanced researchers trying to stop nation-state attacks. We have to remember, however, that not everyone is trying to identify and defend against these types of adversaries. The vast majority are just trying to stop the more mundane attacks from happening. And feeds with hashes, IPs, and domain names work well in these situations.

A word of caution though against using these feeds blindly… A tremendous amount of the data provided will result in false-positives. You need to be very picky in the exact data you choose to incorporate into your defenses in order to get the most out of them. Without such care — as @JohnLaTwC once said — “your threat intel solution [will feel] like more of a threat intel problem” generating too many useless alerts to chase down.

Anyway, below is @da_667 saying the same thing in much more colorful and entertaining language. And be sure to read his full post on where to find OSINT here.

One last note before we go tonight: A lot of cyber warriors and cyber experts will defer to the “pyramid of pain” and tell you that IPs, Domains and Hashes are useless. Most of these assholes have never had to work in a SOC or have seen the results of cryptowall and/or other malware infections before in their goddamn lives. They’re so focused on trying to find nation-states in their backyard, they’re forgetting about ransomware and other common threats. Use the IOCs, block the badness, and piss of the bad guys. You’re the first and last line of defense between the bad guys and your users. You don’t need some cyber expert shitting on you trying to do what is already an insurmountable and/or Sisyphean goal to begin with. Do what comes natural; I just want to help you succeed.


Today’s post pic is from @JohnLaTwC. See ya!

3 comments for “In Defense of Threat Intel Feeds

  1. February 19, 2016 at 12:05 am

    BLOGGED: In Defense of Threat Intel Feeds

  2. February 19, 2016 at 8:53 am

    In Defense of #ThreatIntel Feeds – succinct and a lot of truth to it in the challenges I hear

  3. February 19, 2016 at 10:00 am

    The one where @grecs refs @JohnLaTwC’s “your threat intel solution feels like more of a threat intel problem” quote.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.