Our findings also have broader implications for those studying cyber conflict and the strategic notion of 'imposing costs' using threat intelligence.
Read the full (open access) study here: dl.acm.org/doi/10.1145/...
Read the full (open access) study here: dl.acm.org/doi/10.1145/...
Can IOCs Impose Cost? The Effects of Publishing Threat Intelligence on Adversary Behavior | Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security
dl.acm.org
November 26, 2025 at 10:11 AM
Our findings also have broader implications for those studying cyber conflict and the strategic notion of 'imposing costs' using threat intelligence.
Read the full (open access) study here: dl.acm.org/doi/10.1145/...
Read the full (open access) study here: dl.acm.org/doi/10.1145/...
2. Instead, the best use of CTI is likely in retrospective threat hunting in stored telemetry. We recommend at least 30 days of retention to make this work.
3. Enterprises could combine efforts (e.g., via an ISAC or CSIRT) for a more comprehensive, industry-wide evaluation of CTI timeliness.
3. Enterprises could combine efforts (e.g., via an ISAC or CSIRT) for a more comprehensive, industry-wide evaluation of CTI timeliness.
November 26, 2025 at 10:11 AM
2. Instead, the best use of CTI is likely in retrospective threat hunting in stored telemetry. We recommend at least 30 days of retention to make this work.
3. Enterprises could combine efforts (e.g., via an ISAC or CSIRT) for a more comprehensive, industry-wide evaluation of CTI timeliness.
3. Enterprises could combine efforts (e.g., via an ISAC or CSIRT) for a more comprehensive, industry-wide evaluation of CTI timeliness.
For one major provider, the IOCs were published with a 30-day lag after the peak of the threat actor's activity.
So, what does this mean for enterprise customers buying these feeds?
1. Customers should re-evaluate their spending if their primary goal is real-time intrusion detection.
So, what does this mean for enterprise customers buying these feeds?
1. Customers should re-evaluate their spending if their primary goal is real-time intrusion detection.
November 26, 2025 at 10:11 AM
For one major provider, the IOCs were published with a 30-day lag after the peak of the threat actor's activity.
So, what does this mean for enterprise customers buying these feeds?
1. Customers should re-evaluate their spending if their primary goal is real-time intrusion detection.
So, what does this mean for enterprise customers buying these feeds?
1. Customers should re-evaluate their spending if their primary goal is real-time intrusion detection.
The short summary is: not in the way we might hope, attackers were typically long gone.
We analyzed the IOC feeds of two major commercial providers against a large dataset of network traffic metadata. Most IOCs pointed to resources that had already been abandoned by the time they were published.
We analyzed the IOC feeds of two major commercial providers against a large dataset of network traffic metadata. Most IOCs pointed to resources that had already been abandoned by the time they were published.
November 26, 2025 at 10:11 AM
The short summary is: not in the way we might hope, attackers were typically long gone.
We analyzed the IOC feeds of two major commercial providers against a large dataset of network traffic metadata. Most IOCs pointed to resources that had already been abandoned by the time they were published.
We analyzed the IOC feeds of two major commercial providers against a large dataset of network traffic metadata. Most IOCs pointed to resources that had already been abandoned by the time they were published.
As much as I like the idea of electric car sharing, the pricing of We Drive Solar and Mywheels is just not appealing yet
April 4, 2025 at 12:17 PM
As much as I like the idea of electric car sharing, the pricing of We Drive Solar and Mywheels is just not appealing yet
Saw a great moderator once who kicked off the Q&A with: 'Please keep in mind that a question should be one sentence that ends with a question mark.'
April 4, 2025 at 7:20 AM
Saw a great moderator once who kicked off the Q&A with: 'Please keep in mind that a question should be one sentence that ends with a question mark.'
And why this isn't more common - well I feel like the Venn diagram of people who analyze samples and people who care about proper referencing in print books looks like two adjacent circles.
December 13, 2024 at 10:17 AM
And why this isn't more common - well I feel like the Venn diagram of people who analyze samples and people who care about proper referencing in print books looks like two adjacent circles.
Hashes in end notes, on a website, which is captured on archive.org. Sounds like a dream to a reader like me. If you really want to go all the way you could consider making available the primary sources via ipfs en.m.wikipedia.org/wiki/InterPl...
InterPlanetary File System - Wikipedia
en.m.wikipedia.org
December 13, 2024 at 10:13 AM
Hashes in end notes, on a website, which is captured on archive.org. Sounds like a dream to a reader like me. If you really want to go all the way you could consider making available the primary sources via ipfs en.m.wikipedia.org/wiki/InterPl...