iocs are dead - long live iocs!
TRANSCRIPT
![Page 1: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/1.jpg)
SESSION ID:
IOCsareDead-LongLiveIOCs!
AIR-F03
RyanKazanciyanChiefSecurityArchitectTanium@ryankaz42
![Page 2: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/2.jpg)
Yourstruly,circa2010
2
https://buildsecurityin.us-cert.gov/sites/default/files/RyanKazanciyan-APTPanel.pdf
![Page 3: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/3.jpg)
IOCsasadver@sed
3
Human-readable,machine-consumable
CaptureabroadsetofforensicarHfacts
FosterinformaHonsharing
Providecontextaroundthreats
DobeLerthan“signatures”
![Page 4: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/4.jpg)
Fiveyearslater…
4
![Page 5: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/5.jpg)
IOCqualityandsharingin2016
5
![Page 6: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/6.jpg)
Myownpointofreference
2009-2015:Inves@gator
Large-scale,targetedaLacks
Designed,tested,andappliedIOCsforproacHveandreacHvehunHng
6
2015-Present:Builder
DesigninganEDRplaSormthatincludesIOCdetecHon
Helpingorgsbuildself-sustaining,scalable“hunHng”capabiliHes
![Page 7: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/7.jpg)
Theerosionofindicator-baseddetec@on
7
Brittle indicators - short shelf-life
Poor quality control in threat data feeds
Hard to build effective homegrown IOCs
Indicator detection tools are inconsistent
IOCs applied to limited scope of data
![Page 8: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/8.jpg)
“IOCs”vs.“threatdata”vs.“intelligence”
IOCsarestructuredthreatdata
Threatdata!=threatintelligence
Threatintelligenceprovidescontextandandanalysis
ThreatintelligenceisineffecHvewithoutqualitythreatdata
8
![Page 9: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/9.jpg)
#RSAC
IOCsarebriUle
![Page 10: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/10.jpg)
VerizonDBIR2015:MostsharedIOCtypes
10
Source:VerizonDBIR2015
![Page 11: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/11.jpg)
IOCsintheAPTnotesdataset
11
0
2500
5000
7500
10000
141
5,083
9,096
2,237
6,639
2,512
350248
CVE E-Mail URL Hosts IP Hashes RegistryFileName
Derivedfromover340threatreports(2006-2015)archivedonhttps://github.com/kbandla/APTnotes
![Page 12: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/12.jpg)
Thiswillneverkeeppace…
12
Source:VerizonDBIR2015
![Page 13: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/13.jpg)
ShortlifespanofC2IPsanddomains
Malicioussitesco-locatedonvirtualhostserverIPs
LowbarriertohostmaliciouscontentonlegiHmateproviders
13
Theproblemextendsbeyondfilehashes
![Page 14: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/14.jpg)
Sheervolumedoesnotsolvetheproblem
2007:Bit9FileAdvisortracked4billionuniquefiles,cataloggrewby50millionentriesperday
2009:McAfeeGlobalThreatIntelligencetrackedreputaHondatafor140millionIPaddresses,handling50millionfilelookupsperday
2011:SymantecInsighttrackedtensofbillionsoflinkagesbetweenusers,files,websites
14
![Page 15: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/15.jpg)
Sevenyearsofprogress?
15
“…an intelligence-led approach to security will be key in detecting the most sophisticated threats and responding to
them quickly and effectively.”
“…innovating to provide predictive security. This approach comprises interconnected
security technology at multiple layers in the technology stack, backed by global threat intelligence. Predictive security will allow
security products to intelligently block attacks much sooner than is currently possible…”
![Page 16: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/16.jpg)
#RSAC
PaidIOCs!=qualityIOCs
![Page 17: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/17.jpg)
Haveyouassessedyourfeeds?
17
Jon Oltsik / ESG, http://www.networkworld.com/article/2951542/cisco-subnet/measuring-the-quality-of-commercial-threat-intelligence.html
![Page 18: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/18.jpg)
My(incrediblyscien@fic)methodology
Chosetwotop-Herpaidthreatfeedservices
Retrievedthemostrecent~20indicatorsfromeach
Spent15minuteseyeballingtheircontents
18
![Page 19: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/19.jpg)
Whatareyoupayingfor?
19
Toospecific-malwarehashAND’dwithafilename
(RealIOCfromacommercialfeed)
![Page 20: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/20.jpg)
Whatareyoupayingfor?
20
Toospecific-LNKfilesareuniqueper-system
(RealIOCfromacommercialfeed)
![Page 21: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/21.jpg)
Whatareyoupayingfor?
21
Toonoisy-matchescomponentoflegi@matesoiware
(RealIOCfromacommercialfeed)
![Page 22: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/22.jpg)
#RSAC
BuildinggoodIOCsishard
![Page 23: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/23.jpg)
ChallengeswithIOCdevelopment
23
Easytobuildhigh-fidelityIOCs(mayyieldhighfalse-negaHves)
HardtobuildrobustIOCs(mayyieldhigherfalse-posiHves)
EasytobuildIOCsthatdon’tevaluateproperly
(toolshaveinconsistentmatchinglogic)
“Pyramid of Pain”, David Biancohttp://detect-respond.blogspot.co.uk/2013/03/the-pyramid-of-pain.html
![Page 24: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/24.jpg)
RunningagroundonarobustIOC
24
Toobroad-maymatchonuncommonbutlegi@matebinaries
HowmuchHmedoyouranalystshavetoconHnuouslybuild,test,andrefineIOCslikethis?
![Page 25: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/25.jpg)
InconsistenciesinIOCdetec@ontools
25
FileItem
TaskItem
ServiceItem
EventLogItem
...
✅❌❌✅?
{…}
{…}
OR
AND
{…}
{…}AND
OR{…}{…}
✅
❌
✅
?
✅
Supported Observables Logic Handling Data Normalization
x86 or x64?
HKEY_CURRENT_USER
%SYSTEMROOT%
HKEY_USERS\{SID}
\system32\
\SysWoW64\
\WoW6432Node\
\Windows\
STIX&CybOXhaveafewtoolstohelpwiththis:maec-to-sHxpython-cybox/normalize.py
![Page 26: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/26.jpg)
IssuesspecifictoOpenIOC
Whathappenswhenyoutrytoturnaproprietarytool’suniqueoutputschemaintoa“standard”…
26
ProcessItem/PortList/PortItem/process
“FilePEDetectedAnomalies”
FileItem/PEInfo/DetectedEntryPointSignature/Name
“ProcessPortProcess”
FileItem/PEInfo/DetectedAnomalies/string
“FileEntryPointSigName”
![Page 27: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/27.jpg)
IssuesspecifictoOpenIOC
Example:RegistryevidenceinOpenIOC
27
Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Value: Backdoor Data: C:\path\to\malware.exe
RegistryItem/Path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Backdoor RegistryItem/KeyPath: \SOFTWARE\Microsoft\Windows\CurrentVersion\Run RegistryItem/Value: C:\path\to\malware.exe RegistryItem/ValueName: Backdoor RegistryItem/Text: C:\path\to\malware.exe
![Page 28: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/28.jpg)
#RSAC
Broadeningthescopeofendpointindicatorusage
![Page 29: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/29.jpg)
Focusingonscopeofdata,nottools
WhatareyoumatchingyourendpointIOCsagainst?
What’syourcadenceofdetecHon?
Whereareyourgaps?
29
DataatRest (Filesondisk,registry)
Workstations Servers
HistoricalActivity(Telemetry,logs,alerts,
historicaldata)
EXE
CurrentActivity(Processes,Network
Connections,Memory)
![Page 30: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/30.jpg)
MatchingonSIEM/centralizedlogging
30
MostcommonendpointdatainSIEM:
AnH-virus/anH-malwarealerts(allsystems)Eventlogdata(subsetofsystems-usuallyservers)
Resourceimpactoflarge-scaleeventforwarding&storagelimitsendpointcoverage&scopeofdata
DataatRest (Filesondisk,registry)
Workstations Servers
HistoricalActivity(Telemetry,logs,alerts,
historicaldata)
EXE
CurrentActivity(Processes,Network
Connections,Memory)
![Page 31: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/31.jpg)
Matchingonforensictelemetry
ProcessexecuHon,fileevents,networkconnecHons,registrychanges
Preserveshistoricaldata,short-livedevents
Expensivetocentralizeinlargeenvironments
LimitedscopeofdataforIOCmatching
31
Workstations Servers
HistoricalActivity(Telemetry,logs,alerts,
historicaldata)
EXE
CurrentActivity(Processes,Network
Connections,Memory)
DataatRest (Filesondisk,registry)
![Page 32: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/32.jpg)
Matchingonliveendpoints
PotenHallythebroadestsetofavailabledata
ConsideraHonsEndpointimpactAvailabilityTime-to-assessScalability
32
DataatRest (Filesondisk,registry)
Workstations Servers
HistoricalActivity(Telemetry,logs,alerts,
historicaldata)
EXE
CurrentActivity(Processes,Network
Connections,Memory)
![Page 33: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/33.jpg)
Theidealcombina@on
Goal:MaximizethevalueofbriLleIOCs
Telemetryforefficiency,historicaldata
On-endpointtomaximizecurrentstate&at-restdata
Increasecadenceastools&resourcespermit
Don’ttakeshortcutsonscopeofcoverage!
33
![Page 34: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/34.jpg)
“Ionlyneedtocheckimportantsystems”
34
CredenHalscanbeharvestedfromanywhereonaWindowsnetwork
NoneedtorunmaliciouscodeonadminsystemsorDCs
BytheHmetheygetto“crownjewels”,aLackersarealreadyauthenHcaHngwithlegiHmateaccounts
Source: https://adsecurity.org/?p=1729
Anexampleofwhythisfails:
![Page 35: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/35.jpg)
#RSAC
Shrinkingthedetec@ongap
![Page 36: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/36.jpg)
DoingbeUerwithwhatwe'vegot
Source: hLps://www.digitalshadows.com/blog-and-research/another-sans-cyber-threat-intelligence-summit-is-in-the-books/
36
"Thedesiretotakeatechnicalfeedandsimplydumpitintooursecurityinfrastructuredoesn’tequatetoathreatintelligencewin...
Youcannotgetmorerelevantthreatintelligencethanwhatyoudevelopfromwithinyourownenvironment.Thisshouldthenbeenrichedwithexternalintelligence"
-RickHolland,Forrester,2016CTISummit
![Page 37: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/37.jpg)
Myownpointofreference
Asaninves@gator:[email protected]&outlieranalysisover@me
37
0
20
40
60
80
2010 2011 2012 2013 2014 2015
IOCs
Methodology & outlier analysis
(Rough approximation for the sake of having a pretty graph)
![Page 38: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/38.jpg)
Resemngexpecta@ons
38
Categorizeandcontextualizeknownthreats,streamlineresponse
ProvideaddiHonallayerofautomateddetecHon
PreventativeControls
Signature-baseddetecHon
UndetectedThreats
Threatdata&intelfeeds
Internalanalysis
Reality
PreventativeControls
Threatdata&intelfeeds
Signature-baseddetecHon
UndetectedThreats
Expectation
Tellyouwhat’snormalinyourownenvironment
Exceedthebenefitsofwell-implementedpreventaHvecontrols
Closethegapofundetectedthreats
...butitcannot...
High-qualitythreatdataandintelligencecanhelpyou…
![Page 39: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/39.jpg)
Lookinginwardtohunt
Deriveintelligencefromwhat’s“normal”
Buildrepeatableanalysistasks
CombinewithautomateduseofIOCsandthreatdata
MoreisnotalwaysbeLer!EasytooverwhelmyourselfTakeondiscrete,high-valuedatasetsoneataHme
39
![Page 40: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/40.jpg)
AligningtotheaUacklifecycle
40
Whatarethe"lowestcommondenominators"acrosstargetedintrusions?
Whatreadily-availableevidencedotheyleavebehind?
Whateasily-observableoutliercondiHonsdotheycreate?
ConductReconnaissance
StealCreden@als&EscalatePrivileges MoveLaterally
Establish&RetainPersistence
![Page 41: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/41.jpg)
Example:[email protected]
41
“Inaddi@ontocrea@ngservicestoinfectothercomputersintheLAN,aUackerscanalsousetheTaskSchedulertostart‘msiexec.exe’remotely.TheusageofTaskSchedulerduringDuquinfec@onsforlateralmovementwasalsoobservedwiththe2011version...”
Source:https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf
![Page 42: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/42.jpg)
WhatwasthesharedIOC?
42
![Page 43: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/43.jpg)
HowcouldwedobeUer?
43
WecouldjustaddaspecificTaskItemtotheIOC...
…butwhataboutothervariants?
HowcanwefindevidenceofothermaliciousacHvitythatabusesthesame(incrediblycommon)lateralmovementtechnique?
![Page 44: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/44.jpg)
Example:Lateralcommandexecu@on
44
ScheduledTasks
WinRM&PowerShell
PsExec
AttackerMethods
Otherforensicartifacts
E
Logon&serviceevents
Processhistory
SourcesofEvidence
Accountsused
Executedcommands,droppedfiles,etc.
Time&frequency
Where?
When?
What?
Who?
Source&targetsystems
AnalysisCriteria
Assessoutliers
![Page 45: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/45.jpg)
Resul@ngstackanalysis
45
![Page 46: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/46.jpg)
Resul@ngstackanalysis
46
![Page 47: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/47.jpg)
Resul@ngstackanalysis
47
![Page 48: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/48.jpg)
Resul@ngstackanalysis
48
![Page 49: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/49.jpg)
Foraddi@onalexamples
49
“HunHngintheDark”hLps://speakerdeck.com/ryankaz
Includescoverageof:MoretaskanalysisShimCacheandprocesshistoryServiceEventsWMIeventconsumersAlternaHveauthenHcaHonmechanisms
![Page 50: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/50.jpg)
#RSAC
Closingthoughtsandtakeaways
![Page 51: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/51.jpg)
PlaSormsMISPhLp://www.misp-project.org
HubsandexchangesFacebookThreatExchangehLps://threatexchange.t.com
StandardsCybOX3.0refactoringandsimplificaHon
Evolvingstandards&plaoorms
51
![Page 52: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/52.jpg)
Feweffortsto-date-thisisdifficult!ThreatIntelligenceQuo@entTest(Hq-test)
StaHsHcalanalysisofIPsanddomainsinthreatfeedsReferences:hLps://github.com/mlsecprojecthLps://defcon.org/images/defcon-22/dc-22-presentaHons/Pinto-Maxwell/DEFCON-22-Pinto-and-Maxwell-Measuring-the-IQ-of-your-threat-feeds-TIQtest-Updated.pdf
Quan@ta@veassessmentofthreatfeeds
52
![Page 53: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/53.jpg)
Askyourthreatfeedvendor
53
Where’stheintelcomingfrom?ProfessionalservicesManagedsecurityservicesPartnersHoneypots“Opensource”datagatheringAuto-generatedsandboxdata
What’sthebreakdownofobservabletypes?WhatQCisinplace?
Test-casesDocumentaHonSpot-checking
![Page 54: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/54.jpg)
MaximizeyourIOCs&threatdata
54
Whereareyourgapsinendpoint&networkvisibility?
CanyouexpandthescopeofdatamadeavailableforendpointIOCmatchinginyourenvironment?
Areyourtoolsandthreatdatasourcesfullycompa@ble?
Howquicklyareyouconsumingnewthreatdata?Atwhatscale?
![Page 55: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/55.jpg)
EventhebestsourcesofthreatdatawillneverkeeppacewithemergingaLacks
Knowyournetworkaboveall
InvestinaLacksurfacereducHonand“hygiene”.Itreallydoesmakeadifference.
Haveyourinvestmentsmadeyoumoresecure?
55
![Page 56: IOCs are Dead - Long Live IOCs!](https://reader033.vdocuments.us/reader033/viewer/2022042605/587961e51a28ab1e388b6625/html5/thumbnails/56.jpg)
SESSION ID:
Thankyou!
AIR-F03
RyanKazanciyanChiefSecurityArchitectTanium@ryankaz42