5 min read

There is great interest among security technology and service providers about the intersection of global threat intelligence with local observations in the network. While there is certainly cause for excitement, it’s worth pausing to ask the question “Is Threat Intelligence being used effectively?”

David Bianco explains that not all Indicators of Compromise(IOCs) are created equal. The pyramid defines the pain it will cause the adversaries when you are able to deny those indicators to them.


Hash Values: SHA1, MD5 or other similar hashes that correspond to specific suspicious or malicious files. Hash Values are often used to provide unique references to specific samples of malware or to files involved in an intrusion. Netsurion can provide this functionality via its Change Audit feature.

IP Addresses: or even net blocks. If you deny the adversary the use of one of their IP addresses, cyber criminals can usually recover quickly. Netsurion addresses these via its Behavior Module and the associated IP Reputation lookup.

Domain Names: These are harder to change than IP addresses. Netsurion can either use logs from a proxy or scan web server logs to detect such artifacts.

Host Artifact: For example, if the attacker’s HTTP reconnaissance tool uses a distinctive User-Agent string when searching your web content (off by one space or semicolon, for example. Or maybe they just put their name. Don’t laugh. This happens!). Host Artifacts can be detected by the Behavior Module in Netsurion's threat protection platform, EventTracker, when focused on the User Agent string from web server logs.

Tools: Artifacts of tools (e.g. DLLs or EXE names or hashes) that the attacker is using, can be detected via the Unknown Process module within the EventTracker platform via the Change Audit feature.

Tactics, Techniques & Procedures: The EventTracker platform integrates the MITRE ATT&CK knowledge base of real-world adversary tactics, techniques, and procedures (TTPs) into our console. This intuitive ATT&CK threat intelligence improves threat hunting by understanding how hackers operate. Learn more about threat hunting.

Bottom line: Having Threat Intelligence is not the same as using it effectively. The former is something you can buy, the latter is something you develop as a capability. It not only requires tools but also persistent and well-trained human analysts.

Want both? Consider Netsurion Managed Threat Protection to proactively guard your critical business infrastructure with a team that understands adversarial tactics and techniques.