Cyber indicators are the 'new-er' detection strategy to help dismantle adversarial assaults and the volume of crowdsourced and private community malicious IOCs grows exponentially every day forcing the security industry to create a new must have tool - a threat library. The effectiveness of every SOC is based on their ability to discover, ingest, analyze, respond to, and pivot off threat intelligence and, historically, an ad-hoc spreadsheet combined with a day of analyst muscle was manageable to maintain and chase IOCs. However, over the past several years, as crowdsourcing intelligence has become mainstream, the volume of IOCs released by cyber intelligence providers (commercial and public do-gooders), industry blogs, malware repositories, vendor whitepapers, and open source intelligence (OSINT) has turned the spreadsheet firedrill into a bottleneck of operational inefficiencies amongst the typical workflows within an adversary hunting SOC. This discussion will provide a first-hand operational look from within a large 30+ team DIB SOC and explore the evolution of IOCs, associated SOC workflows, assess IOC overlap by Source, discuss several tools that help manage threat intelligence, and finally some hindsight implementation lessons learned.
Ryan Trost, a cyber-intelligence solutions architect at SRA International, has over 14 years of security experience focusing on intrusion detection and cyber intelligence with specialized insights into computer network defense (CND) operations. He is a recognized leader in the cyber industry through conference speaking engagements including DEF CON, SANS, Cisco USG Transformer, and HIPAA Summit West, as well as, published author of Practical Intrusion Analysis. He developed one of the first geospatial intrusion detection algorithms used to identify attack patterns. Ryan has successfully managed several large 35+ SOC teams by focusing on forward-leaning techniques for detecting and responding to nation-state adversaries; structuring and automating the IOC lifecycle; and fusing Intel from non-traditional sources. He is currently finishing up his second book which cross-pollinates traditional network security practices and cyber intelligence methodologies to better learn, understand, and predict cyber conflict engagements.