The latest installment of our STEEP#MAVERICK emulation series features an Indicator of Compromise (IOC) testing plan that covers known domain names and IP addresses used by the threat actor at the time of publication.
When IOCs are discussed in the context of threat intelligence, many are quick to point out that not all indicators are created equal and some are far more valuable than others. David Bianco does a great job highlighting this in his Pyramid of Pain and my colleague, Chris Peacock, expands upon this in his article Summiting the Pyramid of Pain: The TTP pyramid. Hash values, IP addresses, and domain names are all trivial to change. Getting to the apex of the TTP pyramid, procedures, is the goal. Procedural-level cyber threat intelligence, red team emulations, and detection engineering are most effective when procedural level reporting is available.
Does this mean IOC feeds and detections have no value? We at SCYTHE Advanced Emulation Services (AES) think otherwise: knowing where you stand after all is a cornerstone of SCYTHE. We enable this validation by taking a sampling of relevant indicators to a particular adversary and generating network traffic that can be alerted on. A recent video featuring John Strand and our CEO, Bryson, from this year’s Wild West Hackin’ Fest addresses the idea of stale IOCs (skip to 19:45), and the triviality to alter them. We aren’t disagreeing, in fact, we wholeheartedly agree but instead approach from a different perspective.
IOC testing can provide an organization with a better understanding of what their coverage actually looks like. Take for example STEEP#MAVERICK and its Securonix report that was published September 27, 2022 - almost six weeks from the date of the emulation plan’s release. Your organization’s security control (e.g., antivirus, firewall, and EDR) vendors are hopefully updating their products with the latest IOCs captured from recent threat intelligence. If you were to run this emulation and miss a detection or fail to alert on any of these known malicious IP addresses or domain names, then you know your controls are more than a month out of sync with publicly available threat intelligence.
If you don’t get alerts, it might not be the vendor’s fault. It is possible that the vendor has not yet processed these publicly available IOCs. But it’s also possible that your security controls are not actively updating (maybe due to change control issues). Another possibility is that the controls are up to date, but something in your critical path for security alerting has delayed or suppressed these detections. No matter the cause, running regular IOC testing plans confirms whether your security controls are operating as expected and updated with timely threat intelligence.
In summary, while it is absolutely true that most IOCs are easy to alter and still others are stale, there is still significant value in IOC testing. Understanding what your controls will (and critically, won’t) detect is an absolute necessity for any modern cybersecurity program. With the help of SCYTHE’s IOC testing plans, AES subscribers can perform this testing with no more effort than the push of a button.
Happy Hunting friends!
-SCYTHE AES Team
This post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.