Threat feeds convey a large quantity of data, including Indicators of Compromise (IoCs), pieces of forensic data that identify potentially malicious activities. Security analysts analyze, enrich, and turn them into threat intelligence, and security teams use them to look for persistent threats and recently discovered or zero-day exploits. Which of the following indicators provided by threat feeds provides the most value?
A. Host Artifacts
B. Domain Names
C. Hash Values
D. Tools

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Tools.

This question is designed based on The Pyramid of Pain. It is not an industry standard, but it provides an excellent foundation to evaluate Indicators of Compromise (IoCs) provided in threat feeds.

Not all Indicators of Compromise (IoCs) are created equal. If you are advised that a compromised system file will produce a specific hash value, it may produce less value because it’s too trivial. On the contrary, it creates more value if you are advised that an attack from someone.hackers.com (10.10.10.1) may comprise a system file and produce a specific hash if it succeeds.

Reference

• The Pyramid of Pain
• A DEFINITION OF INDICATORS OF COMPROMISE
• Threat Feeds or Threat Intelligence? (Actually, You Need Both)
• Free and open-source threat intelligence feeds.
• SANA Threat Feeds
• Threat Intelligence Feeds: Keeping Ahead of the Attacker
• Threat Intelligence Feeds: Why Context Is Key
• Indicators of compromise
• SolarWinds IoCs To Connected Cyber Assets: What We Found
• LogRhythm-Labs/sunburst_iocs

威脅饋入(threat feeds)可傳輸大量數據，包括危害指標（IoC），可識別潛在惡意活動的鑑識數據。 安全分析人員進行分析、充實並將其轉變為威脅情報(intelligence)，安全團隊使用它們來查找持續存在的威脅以及最近發現或零日漏洞。 以下哪個威脅饋入提供的指標最具價值？
A. 主機相關跡證 (Host Artifacts)
B. 域名 (Domain Names)
C. 雜湊值 (Hash Values)
D. 工具 (Tools)