In the world of malware analysis, there is sometimes
confusion between the terms “artifacts” and “indicators of
compromise (IOCs).” This is understandable because many
malware analysis engines don’t distinguish between the two.
- The issue for malware analysts is how does one find these meaningful IOCs, small in size, among an enormous pile of artifacts?
- This search carries with it some issues, foremost a “fear of false positives” because misclassifying an artifact as an IOC can lead to false alerts and potentially create a direct negative impact on the production network.
- Further, incorrectly identified IOCs have limited value in threat intelligence due to insufficient context. There is also difficulty integrating analysis across systems in heterogeneous environments due to a proliferation of proprietary formats.
- These issues are why security teams still use mostly manual, time consuming methords to extract IOCs that are reliable and actionable.