<div dir="ltr"><div>so I think one of the more powerful thing about IOCs is that it is open. To Havlar's point, this assists in forming communities and establishing confidence. Incidentally, communities and confidence is not something bad guys are generally lacking but defenders are.<br>
<br>A stack of IOCs can also better inform a defender on what to expect. For instance, the sequence of IOCS of an attack may outline a dropper, benign document, a trojan and 10 minute C2 callbacks is not merely "a collection of IOCs" but it also tells a story. A story about the TTPs used. You can now broaden the blacklist concept to tactics such as "look for a word document in %temp% and executables with identical timestamps".<br>
<br>IOCs can assist in moving from one sole defender defending to a community of defenders defending. That, in theory, makes for a more informed and speedy defender. Note: I did not say OODA loop once; even at the end.<br>
<br></div>-b<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jun 12, 2013 at 1:42 PM, Halvar Flake <span dir="ltr"><<a href="mailto:HalVar@gmx.de" target="_blank">HalVar@gmx.de</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div style="font-family:Verdana;font-size:12.0px"><div><tt><font color="#1a1a1a">Hey all,</font></tt><br>
<br>
<tt><font color="#1a1a1a">with all the IOC-bashing, I think I need to supply some compelling</font></tt><br>
<tt><font color="#1a1a1a">arguments in favour of them:</font></tt><br>
<br>
<tt><font color="#1a1a1a">- We know how to look for them. If I lose my wallet in some dark alley</font></tt><br>
<tt><font color="#1a1a1a">where I am near-blind, it is clearly more reasonable to go to a</font></tt><br>
<tt><font color="#1a1a1a">different street with better streetlights to look for it. Everything</font></tt><br>
<tt><font color="#1a1a1a">else would require me getting better technology, and nobody has time for</font></tt><br>
<tt><font color="#1a1a1a">that.</font></tt><br>
<br>
<tt><font color="#1a1a1a">- They make for a great business model. Empires were build on AV</font></tt><br>
<tt><font color="#1a1a1a">signatures, but it was considered bad form to charge more for signatures</font></tt><br>
<tt><font color="#1a1a1a">of particularly nasty malware. Re-branded as IOCs, I can finance</font></tt><br>
<tt><font color="#1a1a1a">decent-sized teams to analyze malware, and then sell individual IOCs for</font></tt><br>
<tt><font color="#1a1a1a">good money. IOCs are not -yet- better than AV signatures (if measured by</font></tt><br>
<tt><font color="#1a1a1a">aggregate stock value of companies involved), but that might change with</font></tt><br>
<tt><font color="#1a1a1a">a few IPOs.</font></tt><br>
<br>
<tt><font color="#1a1a1a">- They are community-bond-forming. A good IOC for an important group of</font></tt><br>
<tt><font color="#1a1a1a">attackers can be shared between a trusted group of people, so if I get</font></tt><br>
<tt><font color="#1a1a1a">owned and notice it, I at least have the consolation that I can build a</font></tt><br>
<tt><font color="#1a1a1a">cool IOC from it, and feel important in my peer group. I can trade,</font></tt><br>
<tt><font color="#1a1a1a">barter, and generally form a much more tightly-knit community. It's</font></tt><br>
<tt><font color="#1a1a1a">literally the success of "Magic - The Gathering" brought back to the IT</font></tt><br>
<tt><font color="#1a1a1a">security world.</font></tt><br>
<br>
<tt><font color="#1a1a1a">- They're good for people's confidence. Holding a secret IOC is the</font></tt><br>
<tt><font color="#1a1a1a">defensive version of holding a non-public exploit. You can feel</font></tt><br>
<tt><font color="#1a1a1a">powerful, and for your particular adversary, it may or may not work, or</font></tt><br>
<tt><font color="#1a1a1a">it may be patched any day. Perhaps it's methadone - not quite the real</font></tt><br>
<tt><font color="#1a1a1a">thing, but keeps the really heavy craving away.</font></tt><br>
<br>
<tt><font color="#1a1a1a">On a more serious note: Dave, no offense, but you sound like me during</font></tt><br>
<tt><font color="#1a1a1a">every stock bubble. "But ... but .... this is a bubble, it will burst !"</font></tt><br>
<tt><font color="#1a1a1a">- that is true, but in the meantime, fortunes are made, and the person</font></tt><br>
<tt><font color="#1a1a1a">with a macro view stays poor. :-P</font></tt><br>
<br>
<tt><font color="#1a1a1a">Cheers,</font></tt><br>
<tt><font color="#1a1a1a">Halvar</font></tt><br>
<tt><font color="#1a1a1a">PS: I actually think that IOCs can be quite useful - if they are built</font></tt><br>
<tt><font color="#1a1a1a">to generalize well and if you manage to keep them away from the</font></tt><br>
<tt><font color="#1a1a1a">attackers. That, though, can be the hard part.</font></tt><br>
<tt><font color="#1a1a1a">PPS: Perhaps a discussion about "technology X being bad" is like</font></tt><br>
<tt><font color="#1a1a1a">Chessplayers debating why pawns suck. In the end, everybody would like</font></tt><br>
<tt><font color="#1a1a1a">to have 8 queens, but you'll have to play with what you have.</font></tt></div></div></div>
<br>_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
<br></blockquote></div><br></div>