summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc9424.txt
blob: e29947d046200b04e0c082a4fc2cef2f2d94988c (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
Internet Engineering Task Force (IETF)                          K. Paine
Request for Comments: 9424                                   Splunk Inc.
Category: Informational                                    O. Whitehouse
ISSN: 2070-1721                                           Binary Firefly
                                                             J. Sellwood
                                                                        
                                                                 A. Shaw
                                       UK National Cyber Security Centre
                                                             August 2023


    Indicators of Compromise (IoCs) and Their Role in Attack Defence

Abstract

   Cyber defenders frequently rely on Indicators of Compromise (IoCs) to
   identify, trace, and block malicious activity in networks or on
   endpoints.  This document reviews the fundamentals, opportunities,
   operational limitations, and recommendations for IoC use.  It
   highlights the need for IoCs to be detectable in implementations of
   Internet protocols, tools, and technologies -- both for the IoCs'
   initial discovery and their use in detection -- and provides a
   foundation for approaches to operational challenges in network
   security.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Not all documents
   approved by the IESG are candidates for any level of Internet
   Standard; see Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc9424.

Copyright Notice

   Copyright (c) 2023 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Revised BSD License text as described in Section 4.e of the
   Trust Legal Provisions and are provided without warranty as described
   in the Revised BSD License.

Table of Contents

   1.  Introduction
   2.  Terminology
   3.  IoC Fundamentals
     3.1.  IoC Types and the Pyramid of Pain
     3.2.  IoC Lifecycle
       3.2.1.  Discovery
       3.2.2.  Assessment
       3.2.3.  Sharing
       3.2.4.  Deployment
       3.2.5.  Detection
       3.2.6.  Reaction
       3.2.7.  End of Life
   4.  Using IoCs Effectively
     4.1.  Opportunities
       4.1.1.  IoCs underpin and enable multiple layers of the modern
               defence-in-depth strategy.
       4.1.2.  IoCs can be used even with limited resources.
       4.1.3.  IoCs have a multiplier effect on attack defence efforts
               within an organisation.
       4.1.4.  IoCs are easily shared between organisations.
       4.1.5.  IoCs can provide significant time savings.
       4.1.6.  IoCs allow for discovery of historic attacks.
       4.1.7.  IoCs can be attributed to specific threats.
     4.2.  Case Studies
       4.2.1.  Cobalt Strike
         4.2.1.1.  Overall TTP
         4.2.1.2.  IoCs
       4.2.2.  APT33
         4.2.2.1.  Overall TTP
         4.2.2.2.  IoCs
   5.  Operational Limitations
     5.1.  Time and Effort
       5.1.1.  Fragility
       5.1.2.  Discoverability
       5.1.3.  Completeness
     5.2.  Precision
       5.2.1.  Specificity
       5.2.2.  Dual and Compromised Use
       5.2.3.  Changing Use
     5.3.  Privacy
     5.4.  Automation
   6.  Comprehensive Coverage and Defence-in-Depth
   7.  IANA Considerations
   8.  Security Considerations
   9.  Conclusions
   10. Informative References
   Acknowledgements
   Authors' Addresses

1.  Introduction

   This document describes the various types of IoCs and how they are
   used effectively in attack defence (often called "cyber defence").
   It introduces concepts such as the Pyramid of Pain [PoP] and the IoC
   lifecycle to highlight how IoCs may be used to provide a broad range
   of defences.  This document provides suggestions for implementers of
   controls based on IoCs as well as potential operational limitations.
   Two case studies that demonstrate the usefulness of IoCs for
   detecting and defending against real-world attacks are included.  One
   case study involves an intrusion set (a set of malicious activity and
   behaviours attributed to one threat actor) known as "APT33", and the
   other involves an attack tool called "Cobalt Strike".  This document
   is not a comprehensive report of APT33 or Cobalt Strike and is
   intended to be read alongside publicly published reports (referred to
   as "open-source material" among cyber intelligence practitioners) on
   these threats (for example, [Symantec] and [NCCGroup], respectively).

2.  Terminology

   Attack defence:
      The activity of providing cyber security to an environment through
      the prevention of, detection of, and response to attempted and
      successful cyber intrusions.  A successful defence can be achieved
      through blocking, monitoring, and responding to adversarial
      activity at the network, endpoint, or application levels.

   Command and control (C2) server:
      An attacker-controlled server used to communicate with, send
      commands to, and receive data from compromised machines.
      Communication between a C2 server and compromised hosts is called
      "command and control traffic".

   Domain Generation Algorithm (DGA):
      The algorithm used in malware strains to periodically generate
      domain names (via algorithm).  Malware may use DGAs to compute a
      destination for C2 traffic rather than relying on a pre-assigned
      list of static IP addresses or domains that can be blocked more
      easily when extracted from, or otherwise linked to, the malware.

   Kill chain:
      A model for conceptually breaking down a cyber intrusion into
      stages of the attack from reconnaissance through to actioning the
      attacker's objectives.  This model allows defenders to think
      about, discuss, plan for, and implement controls to defend against
      discrete phases of an attacker's activity [KillChain].

   Tactics, Techniques, and Procedures (TTPs):
      The way an adversary undertakes activities in the kill chain --
      the choices made, methods followed, tools and infrastructure used,
      protocols employed, and commands executed.  If they are distinct
      enough, aspects of an attacker's TTPs can form specific IoCs as if
      they were a fingerprint.

   Control (as defined by US NIST):
      A safeguard or countermeasure prescribed for an information system
      or an organisation designed to protect the confidentiality,
      integrity, and availability of its information and to meet a set
      of defined security requirements [NIST].

3.  IoC Fundamentals

3.1.  IoC Types and the Pyramid of Pain

   IoCs are observable artefacts relating to an attacker or their
   activities, such as their tactics, techniques, procedures, and
   associated tooling and infrastructure.  These indicators can be
   observed at the network or endpoint (host) levels and can, with
   varying degrees of confidence, help network defenders to proactively
   block malicious traffic or code execution, determine a cyber
   intrusion occurred, or associate discovered activity to a known
   intrusion set and thereby potentially identify additional avenues for
   investigation.  IoCs are deployed to firewalls and other security
   control points by adding them to the list of indicators that the
   control point is searching for in the traffic that it is monitoring.
   When associated with malicious activity, the following are some
   examples of protocol-related IoCs:

   *  IPv4 and IPv6 addresses in network traffic

   *  Fully Qualified Domain Names (FQDNs) in network traffic, DNS
      resolver caches, or logs

   *  TLS Server Name Indication values in network traffic

   *  Code-signing certificates in binaries

   *  TLS certificate information (such as SHA256 hashes) in network
      traffic

   *  Cryptographic hashes (e.g., MD5, SHA1, or SHA256) of malicious
      binaries or scripts when calculated from network traffic or file
      system artefacts

   *  Attack tools (such as Mimikatz [Mimikatz]) and their code
      structure and execution characteristics

   *  Attack techniques, such as Kerberos Golden Tickets [GoldenTicket],
      that can be observed in network traffic or system artefacts

   The common types of IoC form a Pyramid of Pain [PoP] that informs
   prevention, detection, and mitigation strategies.  The position of
   each IoC type in the pyramid represents how much "pain" a typical
   adversary experiences as part of changing the activity that produces
   that artefact.  The greater pain an adversary experiences (towards
   the top), the less likely they are to change those aspects of their
   activity and the longer the IoC is likely to reflect the attacker's
   intrusion set (i.e., the less fragile those IoCs will be from a
   defender's perspective).  The layers of the PoP commonly range from
   hashes up to TTPs, with the pain ranging from simply recompiling code
   to creating a whole new attack strategy.  Other types of IoC do exist
   and could be included in an extended version of the PoP should that
   assist the defender in understanding and discussing intrusion sets
   most relevant to them.

                             /\
                            /  \                             MORE PAIN
                           /    \                           LESS FRAGILE
                          /      \                          LESS PRECISE
                         /  TTPs  \
                        /          \                            / \
                       ==============                            |
                      /              \                           |
                     /      Tools     \                          |
                    /                  \                         |
                   ======================                        |
                  /                      \                       |
                 / Network/Host Artefacts \                      |
                /                          \                     |
               ==============================                    |
              /                              \                   |
             /          Domain Names          \                  |
            /                                  \                 |
           ======================================                |
          /                                      \               |
         /              IP Addresses              \              |
        /                                          \            \ /
       ==============================================
      /                                              \       LESS PAIN
     /                   Hash Values                  \     MORE FRAGILE
    /                                                  \    MORE PRECISE
   ======================================================

                                  Figure 1

   On the lowest (and least painful) level are hashes of malicious
   files.  These are easy for a defender to gather and can be deployed
   to firewalls or endpoint protection to block malicious downloads or
   prevent code execution.  While IoCs aren't the only way for defenders
   to do this kind of blocking, they are a quick, convenient, and
   nonintrusive method.  Hashes are precise detections for individual
   files based on their binary content.  To subvert this defence,
   however, an adversary need only recompile code, or otherwise modify
   the file content with some trivial changes, to modify the hash value.

   The next two levels are IP addresses and domain names.  Interactions
   with these may be blocked, with varying false positive rates
   (misidentifying non-malicious traffic as malicious; see Section 5),
   and often cause more pain to an adversary to subvert than file
   hashes.  The adversary may have to change IP ranges, find a new
   provider, and change their code (e.g., if the IP address is hard-
   coded rather than resolved).  A similar situation applies to domain
   names, but in some cases, threat actors have specifically registered
   these to masquerade as a particular organisation or to otherwise
   falsely imply or claim an association that will be convincing or
   misleading to those they are attacking.  While the process and cost
   of registering new domain names are now unlikely to be prohibitive or
   distracting to many attackers, there is slightly greater pain in
   selecting unregistered, but appropriate, domain names for such
   purposes.

   Network and endpoint artefacts, such as a malware's beaconing pattern
   on the network or the modified timestamps of files touched on an
   endpoint, are harder still to change as they relate specifically to
   the attack taking place and, in some cases, may not be under the
   direct control of the attacker.  However, more sophisticated
   attackers use TTPs or tooling that provides flexibility at this level
   (such as Cobalt Strike's malleable command and control [COBALT]) or a
   means by which some artefacts can be masked (see [Timestomp]).

   Tools and TTPs form the top two levels of the pyramid; these levels
   describe a threat actor's methodology -- the way they perform the
   attack.  The tools level refers specifically to the software (and
   less frequently, hardware) used to conduct the attack, whereas the
   TTPs level picks up on all the other aspects of the attack strategy.
   IoCs at these levels are more complicated and complex -- for example,
   they can include the details of how an attacker deploys malicious
   code to perform reconnaissance of a victim's network, pivots
   laterally to a valuable endpoint, and then downloads a ransomware
   payload.  TTPs and tools take intensive effort to diagnose on the
   part of the defender, but they are fundamental to the attacker and
   campaign and hence incredibly painful for the adversary to change.

   The variation in discoverability of IoCs is indicated by the numbers
   of IoCs in AlienVault, an open threat intelligence community
   [ALIENVAULT].  As of January 2023, AlienVault contained:

   *  Groups (i.e., combinations of TTPs): 631

   *  Malware families (i.e., tools): ~27,000

   *  URL: 2,854,918

   *  Domain names: 64,769,363

   *  IPv4 addresses: 5,427,762

   *  IPv6 addresses: 12,009

   *  SHA256 hash values: 5,452,442

   The number of domain names appears out of sync with the other counts,
   which reduce on the way up the PoP.  This discrepancy warrants
   further research; however, contributing factors may be the use of
   DGAs and the fact that threat actors use domain names to masquerade
   as legitimate organisations and so have added incentive for creating
   new domain names as they are identified and confiscated.

3.2.  IoC Lifecycle

   To be of use to defenders, IoCs must first be discovered, assessed,
   shared, and deployed.  When a logged activity is identified and
   correlated to an IoC, this detection triggers a reaction by the
   defender, which may include an investigation, potentially leading to
   more IoCs being discovered, assessed, shared, and deployed.  This
   cycle continues until the IoC is determined to no longer be relevant,
   at which point it is removed from the control space.

3.2.1.  Discovery

   IoCs are discovered initially through manual investigation or
   automated analysis.  They can be discovered in a range of sources,
   including at endpoints and in the network (on the wire).  They must
   either be extracted from logs monitoring protocol packet captures,
   code execution, or system activity (in the case of hashes, IP
   addresses, domain names, and network or endpoint artefacts) or be
   determined through analysis of attack activity or tooling.  In some
   cases, discovery may be a reactive process, where IoCs from past or
   current attacks are identified from the traces left behind.  However,
   discovery may also result from proactive hunting for potential future
   IoCs extrapolated from knowledge of past events (such as from
   identifying attacker infrastructure by monitoring domain name
   registration patterns).

   Crucially, for an IoC to be discovered, the indicator must be
   extractable from the Internet protocol, tool, or technology it is
   associated with.  Identifying a particular exchange (or sequence of
   exchanged messages) related to an attack is of limited benefit if
   indicators cannot be extracted or, once they are extracted, cannot be
   subsequently associated with a later related exchange of messages or
   artefacts in the same, or in a different, protocol.  If it is not
   possible to determine the source or destination of malicious attack
   traffic, it will not be possible to identify and block subsequent
   attack traffic either.

3.2.2.  Assessment

   Defenders may treat different IoCs differently, depending on the
   IoCs' quality and the defender's needs and capabilities.  Defenders
   may, for example, place differing trust in IoCs depending on their
   source, freshness, confidence level, or the associated threat.  These
   decisions rely on associated contextual information recovered at the
   point of discovery or provided when the IoC was shared.

   An IoC without context is not much use for network defence.  On the
   other hand, an IoC delivered with context (for example, the threat
   actor it relates to, its role in an attack, the last time it was seen
   in use, its expected lifetime, or other related IoCs) allows a
   network defender to make an informed choice on how to use it to
   protect their network (for example, simply log it, actively monitor
   it, or outright block it).

3.2.3.  Sharing

   Once discovered and assessed, IoCs are most helpful when deployed in
   such a way to have a broad impact on the detection or disruption of
   threats or shared at scale so many individuals and organisations can
   defend themselves.  An IoC may be shared individually (with
   appropriate context) in an unstructured manner or may be packaged
   alongside many other IoCs in a standardised format, such as
   Structured Threat Information Expression [STIX], Malware Information
   Sharing Platform (MISP) core [MISPCORE], OpenIOC [OPENIOC], and
   Incident Object Description Exchange Format (IODEF) [RFC7970].  This
   enables distribution via a structured feed, such as one implementing
   Trusted Automated Exchange of Intelligence Information [TAXII], or
   through a Malware Information Sharing Platform [MISP].

   While some security companies and some membership-based groups (often
   dubbed "Information Sharing and Analysis Centres (ISACs)" or
   "Information Sharing and Analysis Organizations (ISAOs)") provide
   paid intelligence feeds containing IoCs, there are various free IoC
   sources available from individual security researchers up through
   small trust groups to national governmental cyber security
   organisations and international Computer Emergency Response Teams
   (CERTs).  Whoever they are, sharers commonly indicate the extent to
   which receivers may further distribute IoCs using frameworks like the
   Traffic Light Protocol [TLP].  At its simplest, this indicates that
   the receiver may share with anyone (TLP:CLEAR), share within the
   defined sharing community (TLP:GREEN), share within their
   organisation and their clients (TLP:AMBER+STRICT), share just within
   their organisation (TLP:AMBER), or not share with anyone outside the
   original specific IoC exchange (TLP:RED).

3.2.4.  Deployment

   For IoCs to provide defence-in-depth (see Section 6) and so cope with
   different points of failure, correct deployment is important.
   Different IoCs will detect malicious activity at different layers of
   the network stack and at different stages of an attack, so deploying
   a range of IoCs enables layers of defence at each security control,
   reinforcing the benefits of using multiple security controls as part
   of a defence-in-depth solution.  The network security controls and
   endpoint solutions where they are deployed need to have sufficient
   privilege, and sufficient visibility, to detect IoCs and to act on
   them.  Wherever IoCs exist, they need to be made available to
   security controls and associated apparatus to ensure they can be
   deployed quickly and widely.  While IoCs may be manually assessed
   after discovery or receipt, significant advantage may be gained by
   automatically ingesting, processing, assessing, and deploying IoCs
   from logs or intelligence feeds to the appropriate security controls.
   As not all IoCs are of the same quality, confidence in IoCs drawn
   from each threat intelligence feed should be considered when deciding
   whether to deploy IoCs automatically in this way.

   IoCs can be particularly effective at mitigating malicious activity
   when deployed in security controls with the broadest impact.  This
   could be achieved by developers of security products or firewalls
   adding support for the distribution and consumption of IoCs directly
   to their products, without each user having to do it, thus addressing
   the threat for the whole user base at once in a machine-scalable and
   automated manner.  This could also be achieved within an enterprise
   by ensuring those control points with the widest aperture (for
   example, enterprise-wide DNS resolvers) are able to act automatically
   based on IoC feeds.

3.2.5.  Detection

   Security controls with deployed IoCs monitor their relevant control
   space and trigger a generic or specific reaction upon detection of
   the IoC in monitored logs or on network interfaces.

3.2.6.  Reaction

   The reaction to an IoC's detection may differ depending on factors
   such as the capabilities and configuration of the control it is
   deployed in, the assessment of the IoC, and the properties of the log
   source in which it was detected.  For example, a connection to a
   known botnet C2 server may indicate a problem but does not guarantee
   it, particularly if the server is a compromised host still performing
   some other legitimate functions.  Common reactions include event
   logging, triggering alerts, and blocking or terminating the source of
   the activity.

3.2.7.  End of Life

   How long an IoC remains useful varies and is dependent on factors
   including initial confidence level, fragility, and precision of the
   IoC (discussed further in Section 5).  In some cases, IoCs may be
   automatically "aged" based on their initial characteristics and so
   will reach end of life at a predetermined time.  In other cases, IoCs
   may become invalidated due to a shift in the threat actor's TTPs
   (e.g., resulting from a new development or their discovery) or due to
   remediation action taken by a defender.  End of life may also come
   about due to an activity unrelated to attack or defence, such as when
   a third-party service used by the attacker changes or goes offline.
   Whatever the cause, IoCs should be removed from detection at the end
   of their life to reduce the likelihood of false positives.

4.  Using IoCs Effectively

4.1.  Opportunities

   IoCs offer a variety of opportunities to cyber defenders as part of a
   modern defence-in-depth strategy.  No matter the size of an
   organisation, IoCs can provide an effective, scalable, and efficient
   defence mechanism against classes of attack from the latest threats
   or specific intrusion sets that may have struck in the past.

4.1.1.  IoCs underpin and enable multiple layers of the modern defence-
        in-depth strategy.

   Firewalls, Intrusion Detection Systems (IDSs), and Intrusion
   Prevention Systems (IPSs) all employ IoCs to identify and mitigate
   threats across networks.  Antivirus (AV) and Endpoint Detection and
   Response (EDR) products deploy IoCs via catalogues or libraries to
   supported client endpoints.  Security Incident Event Management
   (SIEM) platforms compare IoCs against aggregated logs from various
   sources -- network, endpoint, and application.  Of course, IoCs do
   not address all attack defence challenges, but they form a vital tier
   of any organisation's layered defence.  Some types of IoC may be
   present across all those controls while others may be deployed only
   in certain layers of a defence-in-depth solution.  Further, IoCs
   relevant to a specific kill chain may only reflect activity performed
   during a certain phase and so need to be combined with other IoCs or
   mechanisms for complete coverage of the kill chain as part of an
   intrusion set.

   As an example, open-source malware can be deployed by many different
   actors, each using their own TTPs and infrastructure.  However, if
   the actors use the same executable, the hash of the executable file
   remains the same, and this hash can be deployed as an IoC in endpoint
   protection to block execution regardless of individual actor,
   infrastructure, or other TTPs.  Should this defence fail in a
   specific case, for example, if an actor recompiles the executable
   binary producing a unique hash, other defences can prevent them
   progressing further through their attack, for instance, by blocking
   known malicious domain name lookups and thereby preventing the
   malware calling out to its C2 infrastructure.

   Alternatively, another malicious actor may regularly change their
   tools and infrastructure (and thus the indicators associated with the
   intrusion set) deployed across different campaigns, but their access
   vectors may remain consistent and well-known.  In this case, this
   access TTP can be recognised and proactively defended against, even
   while there is uncertainty of the intended subsequent activity.  For
   example, if their access vector consistently exploits a vulnerability
   in software, regular and estate-wide patching can prevent the attack
   from taking place.  However, should these preemptive measures fail,
   other IoCs observed across multiple campaigns may be able to prevent
   the attack at later stages in the kill chain.

4.1.2.  IoCs can be used even with limited resources.

   IoCs are inexpensive, scalable, and easy to deploy, making their use
   particularly beneficial for smaller entities, especially where they
   are exposed to a significant threat.  For example, a small
   manufacturing subcontractor in a supply chain producing a critical,
   highly specialised component may represent an attractive target
   because there would be disproportionate impact on both the supply
   chain and the prime contractor if it were compromised.  It may be
   reasonable to assume that this small manufacturer will have only
   basic security (whether internal or outsourced), and while it is
   likely to have comparatively fewer resources to manage the risks that
   it faces compared to larger partners, it can still leverage IoCs to
   great effect.  Small entities like this can deploy IoCs to give a
   baseline protection against known threats without having access to a
   well-resourced, mature defensive team and the threat intelligence
   relationships necessary to perform resource-intensive investigations.
   While some level of expertise on the part of such a small company
   would be needed to successfully deploy IoCs, use of IoCs does not
   require the same intensive training as needed for more subjective
   controls, such as those using machine learning, which require further
   manual analysis of identified events to verify if they are indeed
   malicious.  In this way, a major part of the appeal of IoCs is that
   they can afford some level of protection to organisations across
   spectrums of resource capability, maturity, and sophistication.

4.1.3.  IoCs have a multiplier effect on attack defence efforts within
        an organisation.

   Individual IoCs can provide widespread protection that scales
   effectively for defenders across an organisation or ecosystem.
   Within a single organisation, simply blocking one IoC may protect
   thousands of users, and that blocking may be performed (depending on
   the IoC type) across multiple security controls monitoring numerous
   different types of activity within networks, endpoints, and
   applications.  The prime contractor from our earlier example can
   supply IoCs to the small subcontractor and thus further uplift that
   smaller entity's defensive capability while protecting itself and its
   interests at the same time.

   Multiple organisations may benefit from directly receiving shared
   IoCs (see Section 4.1.4), but they may also benefit from the IoCs'
   application in services they utilise.  In the case of an ongoing
   email-phishing campaign, IoCs can be monitored, discovered, and
   deployed quickly and easily by individual organisations.  However, if
   they are deployed quickly via a mechanism such as a protective DNS
   filtering service, they can be more effective still -- an email
   campaign may be mitigated before some organisations' recipients ever
   click the link or before some malicious payloads can call out for
   instructions.  Through such approaches, other parties can be
   protected without direct sharing of IoCs with those organisations or
   additional effort.

4.1.4.  IoCs are easily shared between organisations.

   IoCs can also be very easily shared between individuals and
   organisations.  First, IoCs are easy to distribute as they can be
   represented concisely as text (possibly in hexadecimal) and so are
   frequently exchanged in small numbers in emails, blog posts, or
   technical reports.  Second, standards, such as those mentioned in
   Section 3.2.3, exist to provide well-defined formats for sharing
   large collections or regular sets of IoCs along with all the
   associated context.  While discovering one IoC can be intensive, once
   shared via well-established routes, that individual IoC may protect
   thousands of organisations and thus all of the users in those
   organisations.  Quick and easy sharing of IoCs gives blanket coverage
   for organisations and allows widespread mitigation in a timely
   fashion -- they can be shared with systems administrators, from small
   to large organisations and from large teams to single individuals,
   allowing them all to implement defences on their networks.

4.1.5.  IoCs can provide significant time savings.

   Not only are there time savings from sharing IoCs, saving duplication
   of investigation effort, but deploying them automatically at scale is
   seamless for many enterprises.  Where automatic deployment of IoCs is
   working well, organisations and users get blanket protection with
   minimal human intervention and minimal effort, a key goal of attack
   defence.  The ability to do this at scale and at pace is often vital
   when responding to agile threat actors that may change their
   intrusion set frequently and hence change the relevant IoCs.
   Conversely, protecting a complex network without automatic deployment
   of IoCs could mean manually updating every single endpoint or network
   device consistently and reliably to the same security state.  The
   work this entails (including locating assets and devices, polling for
   logs and system information, and manually checking patch levels)
   introduces complexity and a need for skilled analysts and engineers.
   While it is still necessary to invest effort both to enable efficient
   IoC deployment and to eliminate false positives when widely deploying
   IoCs, the cost and effort involved can be far smaller than the work
   entailed in reliably manually updating all endpoint and network
   devices.  For example, legacy systems may be particularly
   complicated, or even impossible, to update.

4.1.6.  IoCs allow for discovery of historic attacks.

   A network defender can use recently acquired IoCs in conjunction with
   historic data, such as logged DNS queries or email attachment hashes,
   to hunt for signs of past compromise.  Not only can this technique
   help to build a clear picture of past attacks, but it also allows for
   retrospective mitigation of the effects of any previous intrusion.
   This opportunity is reliant on historic data not having been
   compromised itself, by a technique such as Timestomp [Timestomp], and
   not being incomplete due to data retention policies, but it is
   nonetheless valuable for detecting and remediating past attacks.

4.1.7.  IoCs can be attributed to specific threats.

   Deployment of various modern security controls, such as firewall
   filtering or EDR, come with an inherent trade-off between breadth of
   protection and various costs, including the risk of false positives
   (see Section 5.2), staff time, and pure financial costs.
   Organisations can use threat modelling and information assurance to
   assess and prioritise risk from identified threats and to determine
   how they will mitigate or accept each of them.  Contextual
   information tying IoCs to specific threats or actors and shared
   alongside the IoCs enables organisations to focus their defences
   against particular risks.  This contextual information is generally
   expected by those receiving IoCs as it allows them the technical
   freedom and capability to choose their risk appetite, security
   posture, and defence methods.  The ease of sharing this contextual
   information alongside IoCs, in part due to the formats outlined in
   Section 3.2.3, makes it easier to track malicious actors across
   campaigns and targets.  Producing this contextual information before
   sharing IoCs can take intensive analytical effort as well as
   specialist tools and training.  At its simplest, it can involve
   documenting sets of IoCs from multiple instances of the same attack
   campaign, for example, from multiple unique payloads (and therefore
   with distinct file hashes) from the same source and connecting to the
   same C2 server.  A more complicated approach is to cluster similar
   combinations of TTPs seen across multiple campaigns over a period of
   time.  This can be used alongside detailed malware reverse
   engineering and target profiling, overlaid on a geopolitical and
   criminal backdrop, to infer attribution to a single threat actor.

4.2.  Case Studies

   The following two case studies illustrate how IoCs may be identified
   in relation to threat actor tooling (in the first) and a threat actor
   campaign (in the second).  The case studies further highlight how
   these IoCs may be used by cyber defenders.

4.2.1.  Cobalt Strike

   Cobalt Strike [COBALT] is a commercial attack framework used for
   penetration testing that consists of an implant framework (beacon), a
   network protocol, and a C2 server.  The beacon and network protocol
   are highly malleable, meaning the protocol representation "on the
   wire" can be easily changed by an attacker to blend in with
   legitimate traffic by ensuring the traffic conforms to the protocol
   specification, e.g., HTTP.  The proprietary beacon supports TLS
   encryption overlaid with a custom encryption scheme based on a
   public-private keypair.  The product also supports other techniques,
   such as domain fronting [DFRONT], in an attempt to avoid obvious
   passive detection by static network signatures of domain names or IP
   addresses.  Domain fronting is used to blend traffic to a malicious
   domain with traffic originating from a network that is already
   communicating with a non-malicious domain regularly over HTTPS.

4.2.1.1.  Overall TTP

   A beacon configuration describes how the implant should operate and
   communicate with its C2 server.  This configuration also provides
   ancillary information such as the Cobalt Strike user licence
   watermark.

4.2.1.2.  IoCs

   Tradecraft has been developed that allows the fingerprinting of C2
   servers based on their responses to specific requests.  This allows
   the servers to be identified, their beacon configurations to be
   downloaded, and the associated infrastructure addresses to be
   extracted as IoCs.

   The resulting mass IoCs for Cobalt Strike are:

   *  IP addresses of the C2 servers

   *  domain names used

   Whilst these IoCs need to be refreshed regularly (due to the ease of
   which they can be changed), the authors' experience of protecting
   public sector organisations shows that these IoCs are effective for
   disrupting threat actor operations that use Cobalt Strike.

   These IoCs can be used to check historical data for evidence of past
   compromise and deployed to detect or block future infection in a
   timely manner, thereby contributing to preventing the loss of user
   and system data.

4.2.2.  APT33

   In contrast to the first case study, this describes a current
   campaign by the threat actor APT33, also known as Elfin and Refined
   Kitten (see [Symantec]).  APT33 has been assessed by the industry to
   be a state-sponsored group [FireEye2]; yet, in this case study, IoCs
   still gave defenders an effective tool against such a powerful
   adversary.  The group has been active since at least 2015 and is
   known to target a range of sectors including petrochemical,
   government, engineering, and manufacturing.  Activity has been seen
   in countries across the globe but predominantly in the USA and Saudi
   Arabia.

4.2.2.1.  Overall TTP

   The techniques employed by this actor exhibit a relatively low level
   of sophistication, considering it is a state-sponsored group.
   Typically, APT33 performs spear phishing (sending targeted malicious
   emails to a limited number of pre-selected recipients) with document
   lures that imitate legitimate publications.  User interaction with
   these lures executes the initial payload and enables APT33 to gain
   initial access.  Once inside a target network, APT33 attempts to
   pivot to other machines to gather documents and gain access to
   administrative credentials.  In some cases, users are tricked into
   providing credentials that are then used with Ruler [RULER], a freely
   available tool that allows exploitation of an email client.  The
   attacker, in possession of a target's password, uses Ruler to access
   the target's mail account and embeds a malicious script that will be
   triggered when the mail client is next opened, resulting in the
   execution of malicious code (often additional malware retrieved from
   the Internet) (see [FireEye]).

   APT33 sometimes deploys a destructive tool that overwrites the master
   boot record (MBR) of the hard drives in as many PCs as possible.
   This type of tool, known as a wiper, results in data loss and renders
   devices unusable until the operating system is reinstalled.  In some
   cases, the actor uses administrator credentials to invoke execution
   across a large swathe of a company's IT estate at once; where this
   isn't possible, the actor may first attempt to spread the wiper
   manually or use worm-like capabilities against unpatched
   vulnerabilities on the networked computers.

4.2.2.2.  IoCs

   As a result of investigations by a partnership of the industry and
   the UK's National Cyber Security Centre (NCSC), a set of IoCs were
   compiled and shared with both public and private sector organisations
   so network defenders could search for them in their networks.
   Detection of these IoCs is likely indicative of APT33 targeting and
   could indicate potential compromise and subsequent use of destructive
   malware.  Network defenders could also initiate processes to block
   these IoCs to foil future attacks.  This set of IoCs comprised:

   *  9 hashes and email subject lines

   *  5 IP addresses

   *  7 domain names

   In November 2021, a joint advisory concerning APT33 [CISA] was issued
   by the Federal Bureau of Investigation (FBI), the Cybersecurity and
   Infrastructure Security Agency (CISA), the Australian Cyber Security
   Centre (ACSC), and NCSC.  This outlined recent exploitation of
   vulnerabilities by APT33, providing a thorough overview of observed
   TTPs and sharing further IoCs:

   *  8 hashes of malicious executables

   *  3 IP addresses

5.  Operational Limitations

   The different IoC types inherently embody a set of trade-offs for
   defenders between the risk of false positives (misidentifying non-
   malicious traffic as malicious) and the risk of failing to identify
   attacks.  The attacker's relative pain of modifying attacks to
   subvert known IoCs, as discussed using the PoP in Section 3.1,
   inversely correlates with the fragility of the IoC and with the
   precision with which the IoC identifies an attack.  Research is
   needed to elucidate the exact nature of these trade-offs between
   pain, fragility, and precision.

5.1.  Time and Effort

5.1.1.  Fragility

   As alluded to in Section 3.1, the PoP can be thought of in terms of
   fragility for the defender as well as pain for the attacker.  The
   less painful it is for the attacker to change an IoC, the more
   fragile that IoC is as a defence tool.  It is relatively simple to
   determine the hash value for various malicious file attachments
   observed as lures in a phishing campaign and to deploy these through
   AV or an email gateway security control.  However, those hashes are
   fragile and can (and often will) be changed between campaigns.
   Malicious IP addresses and domain names can also be changed between
   campaigns, but this may happen less frequently due to the greater
   pain of managing infrastructure compared to altering files, and so IP
   addresses and domain names may provide a less fragile detection
   capability.

   This does not mean the more fragile IoC types are worthless.  First,
   there is no guarantee a fragile IoC will change, and if a known IoC
   isn't changed by the attacker but wasn't blocked, then the defender
   missed an opportunity to halt an attack in its tracks.  Second, even
   within one IoC type, there is variation in the fragility depending on
   the context of the IoC.  The file hash of a phishing lure document
   (with a particular theme and containing a specific staging server
   link) may be more fragile than the file hash of a remote access
   trojan payload the attacker uses after initial access.  That in turn
   may be more fragile than the file hash of an attacker-controlled
   post-exploitation reconnaissance tool that doesn't connect directly
   to the attacker's infrastructure.  Third, some threats and actors are
   more capable or inclined to change than others, and so the fragility
   of an IoC for one may be very different to an IoC of the same type
   for another actor.

   Ultimately, fragility is a defender's concern that impacts the
   ongoing efficacy of each IoC and will factor into decisions about end
   of life.  However, it should not prevent adoption of individual IoCs
   unless there are significantly strict resource constraints that
   demand down-selection of IoCs for deployment.  More usually,
   defenders researching threats will attempt to identify IoCs of
   varying fragilities for a particular kill chain to provide the
   greatest chances of ongoing detection given available investigative
   effort (see Section 5.1.2) and while still maintaining precision (see
   Section 5.2).

5.1.2.  Discoverability

   To be used in attack defence, IoCs must first be discovered through
   proactive hunting or reactive investigation.  As noted in
   Section 3.1, IoCs in the tools and TTPs levels of the PoP require
   intensive effort and research to discover.  However, it is not just
   an IoC's type that impacts its discoverability.  The sophistication
   of the actor, their TTPs, and their tooling play a significant role,
   as does whether the IoC is retrieved from logs after the attack or
   extracted from samples or infected systems earlier.

   For example, on an infected endpoint, it may be possible to identify
   a malicious payload and then extract relevant IoCs, such as the file
   hash and its C2 server address.  If the attacker used the same static
   payload throughout the attack, this single file hash value will cover
   all instances.  However, if the attacker diversified their payloads,
   that hash can be more fragile, and other hashes may need to be
   discovered from other samples used on other infected endpoints.
   Concurrently, the attacker may have simply hard-coded configuration
   data into the payload, in which case the C2 server address can be
   easy to recover.  Alternatively, the address can be stored in an
   obfuscated persistent configuration within either the payload (e.g.,
   within its source code or associated resource) or the infected
   endpoint's file system (e.g., using alternative data streams [ADS]),
   thus requiring more effort to discover.  Further, the attacker may be
   storing the configuration in memory only or relying on a DGA to
   generate C2 server addresses on demand.  In this case, extracting the
   C2 server address can require a memory dump or the execution or
   reverse engineering of the DGA, all of which increase the effort
   still further.

   If the malicious payload has already communicated with its C2 server,
   then it may be possible to discover that C2 server address IoC from
   network traffic logs more easily.  However, once again, multiple
   factors can make discoverability more challenging, such as the
   increasing adoption of HTTPS for malicious traffic, meaning C2
   communications blend in with legitimate traffic and can be
   complicated to identify.  Further, some malwares obfuscate their
   intended destinations by using alternative DNS resolution services
   (e.g., OpenNIC [OPENNIC]), by using encrypted DNS protocols such as
   DNS-over-HTTPS [OILRIG], or by performing transformation operations
   on resolved IP addresses to determine the real C2 server address
   encoded in the DNS response [LAZARUS].

5.1.3.  Completeness

   In many cases, the list of indicators resulting from an activity or
   discovered in a malware sample is relatively short and so only adds
   to the total set of all indicators in a limited and finite manner.  A
   clear example of this is when static indicators for C2 servers are
   discovered in a malware strain.  Sharing, deployment, and detection
   will often not be greatly impacted by the addition of such indicators
   for one more incident or one more sample.  However, in the case of
   discovery of a DGA, this requires a reimplementation of the algorithm
   and then execution to generate a possible list of domains.  Depending
   on the algorithm, this can result in very large lists of indicators,
   which may cause performance degradation, particularly during
   detection.  In some cases, such sources of indicators can lead to a
   pragmatic decision being made between obtaining reasonable coverage
   of the possible indicator values and theoretical completeness of a
   list of all possible indicator values.

5.2.  Precision

5.2.1.  Specificity

   Alongside pain and fragility, the PoP's levels can also be considered
   in terms of how precise the defence can be, with the false positive
   rate usually increasing as we move up the pyramid to less specific
   IoCs.  A hash value identifies a particular file, such as an
   executable binary, and given a suitable cryptographic hash function,
   the false positives are effectively nil (by "suitable", we mean one
   with preimage resistance and strong collision resistance).  In
   comparison, IoCs in the upper levels (such as some network artefacts
   or tool fingerprints) may apply to various malicious binaries, and
   even benign software may share the same identifying characteristics.
   For example, threat actor tools making web requests may be identified
   by the user-agent string specified in the request header.  However,
   this value may be the same as that used by legitimate software,
   either by the attacker's choice or through use of a common library.

   It should come as no surprise that the more specific an IoC, the more
   fragile it is; as things change, they move outside of that specific
   focus.  While less fragile IoCs may be desirable for their robustness
   and longevity, this must be balanced with the increased chance of
   false positives from their broadness.  One way in which this balance
   is achieved is by grouping indicators and using them in combination.
   While two low-specificity IoCs for a particular attack may each have
   chances of false positives, when observed together, they may provide
   greater confidence of an accurate detection of the relevant kill
   chain.

5.2.2.  Dual and Compromised Use

   As noted in Section 3.2.2, the context of an IoC, such as the way in
   which the attacker uses it, may equally impact the precision with
   which that IoC detects an attack.  An IP address representing an
   attacker's staging server, from which their attack chain downloads
   subsequent payloads, offers a precise IP address for attacker-owned
   infrastructure.  However, it will be less precise if that IP address
   is associated with a cloud-hosting provider and is regularly
   reassigned from one user to another; it will be less precise still if
   the attacker compromised a legitimate web server and is abusing the
   IP address alongside the ongoing legitimate use.

   Similarly, a file hash representing an attacker's custom remote
   access trojan will be very precise; however, a file hash representing
   a common enterprise remote administration tool will be less precise,
   depending on whether or not the defender organisation usually uses
   that tool for legitimate system administration.  Notably, such dual-
   use indicators are context specific, considering both whether they
   are usually used legitimately and how they are used in a particular
   circumstance.  Use of the remote administration tool may be
   legitimate for support staff during working hours but not generally
   by non-support staff, particularly if observed outside of that
   employee's usual working hours.

   For reasons like these, context is very important when sharing and
   using IoCs.

5.2.3.  Changing Use

   In the case of IP addresses, the growing adoption of cloud services,
   proxies, virtual private networks (VPNs), and carrier-grade Network
   Address Translation (NAT) are increasing the number of systems
   associated with any one IP address at the same moment in time.  This
   ongoing change to the use of IP addresses is somewhat reducing the
   specificity of IP addresses (at least for specific subnets or
   individual addresses) while also "side-stepping" the pain that threat
   actors would otherwise incur if they needed to change IP address.

5.3.  Privacy

   As noted in Section 3.2.2, context is critical to effective detection
   using IoCs.  However, at times, defenders may feel there are privacy
   concerns with how much and with whom to share about a cyber
   intrusion.  For example, defenders may generalise the IoCs'
   description of the attack by removing context to facilitate sharing.
   This generalisation can result in an incomplete set of IoCs being
   shared or IoCs being shared without clear indication of what they
   represent and how they are involved in an attack.  The sharer will
   consider the privacy trade-off when generalising the IoC and should
   bear in mind that the loss of context can greatly reduce the utility
   of the IoC for those they share with.

   In the authors' experiences, self-censoring by sharers appears more
   prevalent and more extensive when sharing IoCs into groups with more
   members, into groups with a broader range of perceived member
   expertise (particularly, the further the lower bound extends below
   the sharer's perceived own expertise), and into groups that do not
   maintain strong intermember trust.  Trust within such groups often
   appears strongest where members interact regularly; have common
   backgrounds, expertise, or challenges; conform to behavioural
   expectations (such as by following defined handling requirements and
   not misrepresenting material they share); and reciprocate the sharing
   and support they receive.  [LITREVIEW] highlights that many of these
   factors are associated with the human role in Cyber Threat
   Intelligence (CTI) sharing.

5.4.  Automation

   While IoCs can be effectively utilised by organisations of various
   sizes and resource constraints, as discussed in Section 4.1.2,
   automation of IoC ingestion, processing, assessment, and deployment
   is critical for managing them at scale.  Manual oversight and
   investigation may be necessary intermittently, but a reliance on
   manual processing and searching only works at small scale or for
   occasional cases.

   The adoption of automation can also enable faster and easier
   correlation of IoC detections across different log sources and
   network monitoring interfaces across different times and physical
   locations.  Thus, the response can be tailored to reflect the number
   and overlap of detections from a particular intrusion set, and the
   necessary context can be presented alongside the detection when
   generating any alerts for defender review.  While manual processing
   and searching may be no less accurate (although IoC transcription
   errors are a common problem during busy incidents in the experience
   of the authors), the correlation and cross-referencing necessary to
   provide the same degree of situational awareness is much more time-
   consuming.

   A third important consideration when performing manual processing is
   the longer phase monitoring and adjustment necessary to effectively
   age out IoCs as they become irrelevant or, more crucially,
   inaccurate.  Manual implementations must often simply include or
   exclude an IoC, as anything more granular is time-consuming and
   complicated to manage.  In contrast, automations can support a
   gradual reduction in confidence scoring, enabling IoCs to contribute
   but not individually disrupt a detection as their specificity
   reduces.

6.  Comprehensive Coverage and Defence-in-Depth

   IoCs provide the defender with a range of options across the PoP's
   layers, enabling them to balance precision and fragility to give high
   confidence detections that are practical and useful.  Broad coverage
   of the PoP is important as it allows the defender to choose between
   high precision but high fragility options and more robust but less
   precise indicators depending on availability.  As fragile indicators
   are changed, the more robust IoCs allow for continued detection and
   faster rediscovery.  For this reason, it's important to collect as
   many IoCs as possible across the whole PoP to provide options for
   defenders.

   At the top of the PoP, TTPs identified through anomaly detection and
   machine learning are more likely to have false positives, which gives
   lower confidence and, vitally, requires better trained analysts to
   understand and implement the defences.  However, these are very
   painful for attackers to change, so when tuned appropriately, they
   provide a robust detection.  Hashes, at the bottom, are precise and
   easy to deploy but are fragile and easily changed within and across
   campaigns by malicious actors.

   Endpoint Detection and Response (EDR) or Antivirus (AV) are often the
   first port of call for protection from intrusion, but endpoint
   solutions aren't a panacea.  One issue is that there are many
   environments where it is not possible to keep them updated or, in
   some cases, deploy them at all.  For example, the Owari botnet, a
   Mirai variant [Owari], exploited Internet of Things (IoT) devices
   where such solutions could not be deployed.  It is because of such
   gaps, where endpoint solutions can't be relied on, that a defence-in-
   depth approach is commonly advised, using a blended approach that
   includes both network and endpoint defences.

   If an attack happens, then the best situation is that an endpoint
   solution will detect and prevent it.  If it doesn't, it could be for
   many good reasons: the endpoint solution could be quite conservative
   and aim for a low false-positive rate, it might not have ubiquitous
   coverage, or it might only be able to defend the initial step of the
   kill chain [KillChain].  In the worst cases, the attack specifically
   disables the endpoint solution, or the malware is brand new and so
   won't be recognised.

   In the middle of the pyramid, IoCs related to network information
   (such as domains and IP addresses) can be particularly useful.  They
   allow for broad coverage, without requiring each and every endpoint
   security solution to be updated, as they may be detected and enforced
   in a more centralised manner at network choke points (such as proxies
   and gateways).  This makes them particularly useful in contexts where
   ensuring endpoint security isn't possible, such as Bring Your Own
   Device (BYOD), Internet of Things (IoT), and legacy environments.
   It's important to note that these network-level IoCs can also protect
   users of a network against compromised endpoints when these IoCs are
   used to detect the attack in network traffic, even if the compromise
   itself passes unnoticed.  For example, in a BYOD environment,
   enforcing security policies on the device can be difficult, so non-
   endpoint IoCs and solutions are needed to allow detection of
   compromise even with no endpoint coverage.

   One example of how network-level IoCs provide a layer of a defence-
   in-depth solution is Protective DNS (PDNS) [Annual2021], a free and
   voluntary DNS filtering service provided by the UK NCSC for UK public
   sector organisations [PDNS].  In 2021, this service blocked access to
   more than 160 million DNS queries (out of 602 billion total queries)
   for the organisations signed up to the service [ACD2021].  This
   included hundreds of thousands of queries for domains associated with
   Flubot, Android malware that uses DGAs to generate 25,000 candidate
   command and control domains each month (these DGAs [DGAs] are a type
   of TTP).

   IoCs such as malicious domains can be put on PDNS straight away and
   can then be used to prevent access to those known malicious domains
   across the entire estate of over 925 separate public sector entities
   that use NCSC's PDNS.  Coverage can be patchy with endpoints, as the
   roll-out of protections isn't uniform or necessarily fast.  However,
   if the IoC is on PDNS, a consistent defence is maintained for devices
   using PDNS, even if the device itself is not immediately updated.
   This offers protection, regardless of whether the context is a BYOD
   environment or a managed enterprise system.  PDNS provides the most
   front-facing layer of defence-in-depth solutions for its users, but
   other IoCs, like Server Name Indication values in TLS or the server
   certificate information, also provide IoC protections at other
   layers.

   Similar to the AV scenario, large-scale services face risk decisions
   around balancing threat against business impact from false positives.
   Organisations need to be able to retain the ability to be more
   conservative with their own defences, while still benefiting from
   them.  For instance, a commercial DNS filtering service is intended
   for broad deployment, so it will have a risk tolerance similar to AV
   products, whereas DNS filtering intended for government users (e.g.,
   PDNS) can be more conservative but will still have a relatively broad
   deployment if intended for the whole of government.  A government
   department or specific company, on the other hand, might accept the
   risk of disruption and arrange firewalls or other network protection
   devices to completely block anything related to particular threats,
   regardless of the confidence, but rely on a DNS filtering service for
   everything else.

   Other network defences can make use of this blanket coverage from
   IoCs, like middlebox mitigation, proxy defences, and application-
   layer firewalls, but are out of scope for this document.  Large
   enterprise networks are likely to deploy their own DNS resolution
   architecture and possibly TLS inspection proxies and can deploy IoCs
   in these locations.  However, in networks that choose not to, or
   don't have the resources to, deploy these sorts of mitigations, DNS
   goes through firewalls, proxies, and possibly a DNS filtering
   service; it doesn't have to be unencrypted, but these appliances must
   be able to decrypt it to do anything useful with it, like blocking
   queries for known bad URIs.

   Covering a broad range of IoCs gives defenders a wide range of
   benefits: they are easy to deploy; they provide a high enough
   confidence to be effective; at least some will be painful for
   attackers to change; and their distribution around the infrastructure
   allows for different points of failure, and so overall they enable
   the defenders to disrupt bad actors.  The combination of these
   factors cements IoCs as a particularly valuable tool for defenders
   with limited resources.

7.  IANA Considerations

   This document has no IANA actions.

8.  Security Considerations

   This document is all about system security.  However, when poorly
   deployed, IoCs can lead to over-blocking, which may present an
   availability concern for some systems.  While IoCs preserve privacy
   on a macro scale (by preventing data breaches), research could be
   done to investigate the impact on privacy from sharing IoCs, and
   improvements could be made to minimise any impact found.  The
   creation of a privacy-preserving method of sharing IoCs that still
   allows both network and endpoint defences to provide security and
   layered defences would be an interesting proposal.

9.  Conclusions

   IoCs are versatile and powerful.  IoCs underpin and enable multiple
   layers of the modern defence-in-depth strategy.  IoCs are easy to
   share, providing a multiplier effect on attack defence efforts, and
   they save vital time.  Network-level IoCs offer protection, which is
   especially valuable when an endpoint-only solution isn't sufficient.
   These properties, along with their ease of use, make IoCs a key
   component of any attack defence strategy and particularly valuable
   for defenders with limited resources.

   For IoCs to be useful, they don't have to be unencrypted or visible
   in networks, but it is crucial that they be made available, along
   with their context, to entities that need them.  It is also important
   that this availability and eventual usage cope with multiple points
   of failure, as per the defence-in-depth strategy, of which IoCs are a
   key part.

10.  Informative References

   [ACD2021]  UK NCSC, "Active Cyber Defence - The Fifth Year", May
              2022, <https://www.ncsc.gov.uk/files/ACD-The-Fifth-Year-
              full-report.pdf>.

   [ADS]      Microsoft, "File Streams (Local File Systems)", January
              2021, <https://docs.microsoft.com/en-
              us/windows/win32/fileio/file-streams>.

   [ALIENVAULT]
              AlienVault, "AlienVault: The World's First Truly Open
              Threat Intelligence Community",
              <https://otx.alienvault.com/>.

   [Annual2021]
              UK NCSC, "NCSC Annual Review 2021: Making the UK the
              safest place to live and work online", 2021,
              <https://www.ncsc.gov.uk/files/
              NCSC%20Annual%20Review%202021.pdf>.

   [CISA]     CISA, "Iranian Government-Sponsored APT Cyber Actors
              Exploiting Microsoft Exchange and Fortinet Vulnerabilities
              in Furtherance of Malicious Activities", November 2021,
              <https://www.cisa.gov/uscert/ncas/alerts/aa21-321a>.

   [COBALT]   "Cobalt Strike", <https://www.cobaltstrike.com/>.

   [DFRONT]   Infosec, "Domain Fronting", April 2017,
              <https://resources.infosecinstitute.com/topic/domain-
              fronting/>.

   [DGAs]     MITRE, "Dynamic Resolution: Domain Generation Algorithms",
              2020, <https://attack.mitre.org/techniques/T1483/>.

   [FireEye]  O'Leary, J., Kimble, J., Vanderlee, K., and N. Fraser,
              "Insights into Iranian Cyber Espionage: APT33 Targets
              Aerospace and Energy Sectors and has Ties to Destructive
              Malware", September 2017,
              <https://www.mandiant.com/resources/blog/apt33-insights-
              into-iranian-cyber-espionage>.

   [FireEye2] Ackerman, G., Cole, R., Thompson, A., Orleans, A., and N.
              Carr, "OVERRULED: Containing a Potentially Destructive
              Adversary", December 2018,
              <https://www.mandiant.com/resources/blog/overruled-
              containing-a-potentially-destructive-adversary>.

   [GoldenTicket]
              Mizrahi, I. and Cymptom, "Steal or Forge Kerberos Tickets:
              Golden Ticket", 2020,
              <https://attack.mitre.org/techniques/T1558/001/>.

   [KillChain]
              Lockheed Martin, "The Cyber Kill Chain",
              <https://www.lockheedmartin.com/en-us/capabilities/cyber/
              cyber-kill-chain.html>.

   [LAZARUS]  Kaspersky Lab, "Lazarus Under The Hood",
              <https://media.kasperskycontenthub.com/wp-
              content/uploads/sites/43/2018/03/07180244/
              Lazarus_Under_The_Hood_PDF_final.pdf>.

   [LITREVIEW]
              Wagner, T., Mahbub, K., Palomar, E., and A. Abdallah,
              "Cyber Threat Intelligence Sharing: Survey and Research
              Directions", January 2019, <https://www.open-
              access.bcu.ac.uk/7852/1/Cyber%20Threat%20Intelligence%20Sh
              aring%20Survey%20and%20Research%20Directions.pdf>.

   [Mimikatz] Mulder, J., "Mimikatz Overview, Defenses and Detection",
              February 2016, <https://www.sans.org/white-papers/36780/>.

   [MISP]     "MISP", <https://www.misp-project.org/>.

   [MISPCORE] Dulaunoy, A. and A. Iklody, "MISP core format", Work in
              Progress, Internet-Draft, draft-dulaunoy-misp-core-format-
              16, 26 February 2023,
              <https://datatracker.ietf.org/doc/html/draft-dulaunoy-
              misp-core-format-16>.

   [NCCGroup] Jansen, W., "Abusing cloud services to fly under the
              radar", January 2021,
              <https://research.nccgroup.com/2021/01/12/abusing-cloud-
              services-to-fly-under-the-radar/>.

   [NIST]     NIST, "Glossary - security control",
              <https://csrc.nist.gov/glossary/term/security_control>.

   [OILRIG]   Cimpanu, C., "Iranian hacker group becomes first known APT
              to weaponize DNS-over-HTTPS (DoH)", August 2020,
              <https://www.zdnet.com/article/iranian-hacker-group-
              becomes-first-known-apt-to-weaponize-dns-over-https-doh/>.

   [OPENIOC]  Gibb, W. and D. Kerr, "OpenIOC: Back to the Basics",
              October 2013, <https://www.fireeye.com/blog/threat-
              research/2013/10/openioc-basics.html>.

   [OPENNIC]  "OpenNIC", <https://www.opennic.org/>.

   [Owari]    UK NCSC, "Owari botnet own-goal takeover", 2018, <https://
              webarchive.nationalarchives.gov.uk/ukgwa/20220301141030/
              https://www.ncsc.gov.uk/report/weekly-threat-report-8th-
              june-2018>.

   [PDNS]     UK NCSC, "Protective Domain Name Service (PDNS)", August
              2017, <https://www.ncsc.gov.uk/information/pdns>.

   [PoP]      Bianco, D., "The Pyramid of Pain", March 2013,
              <https://detect-respond.blogspot.com/2013/03/the-pyramid-
              of-pain.html>.

   [RFC7970]  Danyliw, R., "The Incident Object Description Exchange
              Format Version 2", RFC 7970, DOI 10.17487/RFC7970,
              November 2016, <https://www.rfc-editor.org/info/rfc7970>.

   [RULER]    MITRE, "Ruler",
              <https://attack.mitre.org/software/S0358/>.

   [STIX]     OASIS Cyber Threat Intelligence (CTI), "Introduction to
              STIX", <https://oasis-open.github.io/cti-
              documentation/stix/intro>.

   [Symantec] Symantec, "Elfin: Relentless Espionage Group Targets
              Multiple Organizations in Saudi Arabia and U.S.", March
              2019, <https://www.symantec.com/blogs/threat-intelligence/
              elfin-apt33-espionage>.

   [TAXII]    OASIS Cyber Threat Intelligence (CTI), "Introduction to
              TAXII", <https://oasis-open.github.io/cti-
              documentation/taxii/intro.html>.

   [Timestomp]
              MITRE, "Indicator Removal: Timestomp", January 2020,
              <https://attack.mitre.org/techniques/T1099/>.

   [TLP]      FIRST, "Traffic Light Protocol (TLP)",
              <https://www.first.org/tlp/>.

Acknowledgements

   Thanks to all those who have been involved with improving cyber
   defence in the IETF and IRTF communities.

Authors' Addresses

   Kirsty Paine
   Splunk Inc.
   Email: kirsty.ietf@gmail.com


   Ollie Whitehouse
   Binary Firefly
   Email: ollie@binaryfirefly.com


   James Sellwood
   Email: james.sellwood.ietf@gmail.com


   Andrew Shaw
   UK National Cyber Security Centre
   Email: andrew.s2@ncsc.gov.uk