This post originally published on Joe Slowik's personal blog that can be found here.
A previous post on indicators and network defense generated quite a bit of attention, as well as some requests for follow-up items. One item in particular was very interesting to me: comparing an actionable, effective threat intelligence report not relying on indicators with a “bad” example. I think this idea is interesting, but somewhat dangerous simply because I don’t want to be the person to crap on another’s work, which is almost certainly how such an exercise will play out. Instead of this requested approach, instead I would like to address a practical, relevant example of the behavioral vs. indicator argument playing out in real time in light of recent work I’ve done at Dragos on the XENOTIME activity group.
In this specific case, and going back to the original public reporting I co-authored, I’ve heard that an “IOC-less” approach for TRISIS and XENOTIME in general represents one of several factors: failing to adequately document or support work; potentially masking a lack of information in public reporting; and leaving defenders in the lurch by not providing all relevant, potentially actionable information.
I will spend most of our remaining time on the last point, but I’d like to quickly address the other two before moving on. The first, in terms of “showing one’s work”, has some merit – but only depending on the audience. If your intention is to inform operations personnel, and not the community of threat intelligence researchers and reverse engineers, providing sample hashes seems irrelevant and unnecessary, especially if you already think such IOCs are effectively useless for other organizations from the start. The second is just a waste of time, and I’ll let my colleagues Jimmy Wylie and Reid Wightman dispel this with their in-depth walk-through of the TRISIS framework at RECON.
Getting back on track, as a professional in this field one of the most damning and hurtful comments that I can hear is that I am doing less than my absolute best in arming and equipping defenders to respond to malicious events. Toward that end, the notion that omitting IOCs from a report – whether public or private – may actively harm or disadvantage defenders really hits home, but in responding to this assertion I feel we can arrive at an even better understanding of the limitations of an IOC approach especially in an environment such as ICS defense.