Our findings also have broader implications for those studying cyber conflict and the strategic notion of 'imposing costs' using threat intelligence.
Read the full (open access) study here: dl.acm.org/doi/10.1145/...
2. Instead, the best use of CTI is likely in retrospective threat hunting in stored telemetry. We recommend at least 30 days of retention to make this work.
3. Enterprises could combine efforts (e.g., via an ISAC or CSIRT) for a more comprehensive, industry-wide evaluation of CTI timeliness.
For one major provider, the IOCs were published with a 30-day lag after the peak of the threat actor's activity.
So, what does this mean for enterprise customers buying these feeds?
1. Customers should re-evaluate their spending if their primary goal is real-time intrusion detection.
The short summary is: not in the way we might hope, attackers were typically long gone.
We analyzed the IOC feeds of two major commercial providers against a large dataset of network traffic metadata. Most IOCs pointed to resources that had already been abandoned by the time they were published.
Pleased to announce that our paper, "Can IOCs Impose Cost?", has been published in ACM CCS.
Does publicly releasing cybersecurity threat intelligence (CTI) actually force adversaries to adapt their behavior, which "impose costs" as the theory goes? We decided to empirically test it.
As much as I like the idea of electric car sharing, the pricing of We Drive Solar and Mywheels is just not appealing yet
Saw a great moderator once who kicked off the Q&A with: 'Please keep in mind that a question should be one sentence that ends with a question mark.'
Just a few days left to submit your proposal to our Call for Talks! Send your proposal for a short talk to haguetix@thehagueprogram.nl by noon (CET), Monday 31 March 2025. More info โก๏ธ www.thehagueprogram.nl/the-hague-ti...
@monicakello.bsky.social @xbouwman.bsky.social @collierjam.bsky.social
Call for talks! - Send us your proposals by Monday 31 March, 11:59am/noon (CET - Central European Time)! --> www.thehagueprogram.nl/the-hague-ti...
@monicakello.bsky.social @fggaleiden.bsky.social @collierjam.bsky.social @thehagueprogram.bsky.social
And why this isn't more common - well I feel like the Venn diagram of people who analyze samples and people who care about proper referencing in print books looks like two adjacent circles.
Hashes in end notes, on a website, which is captured on archive.org. Sounds like a dream to a reader like me. If you really want to go all the way you could consider making available the primary sources via ipfs en.m.wikipedia.org/wiki/InterPl...
It's okay to say 'I don't know', particularly if you don't know.
