"Indicators" or "Indicators of Compromise" (IOCs) form the common currency of threat intelligence communication and, at times, application. Yet further examination of the concept of "the indicator" reveals significant fuzziness around what the term actually means in definition or subsequent use. Some might feel this is mere nit-picking, but confusion and conflation surrounding the use of the word "indicator" has effectively set back the threat intelligence discipline and led to suboptimal outcomes in using intelligence concepts.In this session, we will explore the concept of the indicator in rigorous fashion from the perspective of threat intelligence research and communication. In this discussion, we will differentiate between mere data, observations of interest, and indicators of threat actor activity in such a fashion that will allow us to understand different tiers of certainty and applicability for threat intelligence.
After illustrating with examples differentiating between indicators as "mere data" and indicators as "composite objects yielding insight to adversary behavior," the session will conclude with a proposed definition of the indicator as a robust, enriched object around which analysts and researchers must exert more care. Treading carefully around the use and labeling of observations as "indicators" will clarify intelligence applications and facilitate easier, more direct action resulting from such analysis - moving beyond the mere "block and alert" approach to more robust understanding of underlying adversary activity. As a result, we will bridge the seemingly impossible chasm between technical indicators and adversary behaviors.
View upcoming Summits:
SANS Cyber Threat Intelligence Summit 2024
Revisiting the Indicator: Towards a Threat Intelligence Ontology
Joe Slowik
Музыка
Фильмы
ТВ Шоу
Категории видео
