IOC's: Indicators of Crap presented at BSidesAtlanta 2019

by Xavier Ashe,

Summary : You should be looking at Indicators of Compromise!” exclaims your CISO, regulator, vendor and mom. No problem, right? You have the most expensive security intelligence vendor and all you have to do is correlate in your expensive SIEM! Well, if you have tried this, then you are laughing with me. Come hear my exploration into implementing IOCs at a major US insurance company and a major US bank. I’ll address the differences in Indicators of Compromise vs Indicators of Attack. I will show you how not to use the MITRE ATT&CK framework, plus some tips on how it use it well. My goal is to save you from falling into the same pitfalls when dealing with Indicators of Crap.