IOC's: Indicators of Crap

Presented at CackalackyCon 1 (2019), June 1, 2019, 2 p.m. (60 minutes)

“You should be looking at Indicators of Compromise!” exclaims your CISO, regulator, vendor, and mom. No problem, right? You have the most expensive security intelligence vendor and all you have to do is correlate in your expensive SIEM! Well, if you have tried this, then you are laughing with me. Come hear my exploration into implementing IOCs at a major US insurance company and a major US bank. I’ll address the differences in Indicators of Compromise vs Indicators of Attack. I will show you how not to use the MITRE ATT&CK framework, plus some tips on how to use it well. My goal is to save you from falling into the same pitfalls when dealing with Indicators of Crap.

Presenters:

• Xavier Ashe

Similar Presentations:

• CackalackyCon 2 (2023) / IOCs in your APIs
• DerbyCon 3.0 All in the Family (2013) / IOCAware – Actively Collect Compromise Indicators and Test Your Entire Enterprise
• BSidesDC 2014 / Meatspace Indicators and Incident Response