But there is another problem on top being flooded with false positives when using threat intelligence indicators as signatures. The bad guys know the enterprises are using this approach hence they are leveraging on it with some counter-offensive tactics. For instance there are public and private intelligence feeds which are being used by enterprises and SOCs to either create alerts based on hits or to auto escalate them based on use cases. Then, what do the bad guys are doing?
- A given IOC is malicious in a short timeframe but enough as to be catched by some feed trackers out there. Once the IOC has been included in a tracker the bad guys then point the malicious domain (IOC) to a known IP such as Google or Facebook. Time to have fun on the enterprises relying on those IOCs.
- Changing DNS entries often (fast-flux), this is a common technique to hide the delivery sites behind an ever-changing network of compromised sites but when this technique is used by pointing the malicious domains to legitimate IPs parts of the time; time to have fun again on those enterprises leveraging those IOCs.
If you would like to stay ahead of poor Threat intelligence, take a look to these questions for evaluating an external threat intelligence source.