Complete Story


Has Hunting: Why File Hashes are Still Important

The State of Security

According to Gartner, threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable intelligence.

When security research teams or government agencies release threat intelligence reports, some of the more tactical actionable intelligence is in the indicators. These indicators include (but are not limited to) IP addresses, domain names, file names or file hashes. The end goal of providing this level of detail is so defenders can either provide mitigating steps in place to block malicious behavior or to use this information to search for evil within their organization.

I like to think of indicators as threat information rather than threat intelligence. Without additional context, such as time or intended targets, the indicators can be worthless. Time is an important one because indicators can be modified very quickly by an adversary.


Printer-Friendly Version