We just need to pair our IOC detection with TTP/kill chain detection to increase our defence. IOCs are still crucial and important in detection. That doesn’t make IOCs any less valuable.
New malicious domains or IPs can come online. Due to privacy, or legal requirements or dozens of other reasons, some IOCs may never be public. There is, however, a delay between an attack occurring and these IOCs being available. If you detect known malicious files or domains in your environment then you need to react. Using a threat intelligence source which provides IOCs is a key part to sound defence. The idea being if you detected the attack earlier in the chain, the damage could have been prevented. These are also known as attack or kill chains. Then execution was via exploiting a scheduled task on a machine. They are the ‘why’, the ‘what’ and the ‘how’ of an attack. These read more like a story of the attack. Tactics, techniques and procedures – describe the behaviour of how an attack occurred.You can hunt for IOCs on places like Virus Total. These indicators are often shared throughout the community. This could be a malicious IP address or domain. Indicators of compromise – are some kind of evidence that an attack has occurred.Indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs).
Usually these reports contain two different things. Community members and vendors publish detailed articles on various attacks that have occurred. There are so many fantastic contributors who share indicators of compromise (IOCs) and all kinds of other data. The InfoSec community is amazing at providing insight into ransomware and malware attacks.
0 kommentar(er)
