Leveraging cyber intelligence for threat detection
In the previous article, we discussed how intelligence on vulnerabilities and adversary techniques helps prevent attacks early on. Now, let us take a closer look at detection and examine how different types of IoCs can be used to identify threats that, for one reason or another, evaded existing security solutions.
To better understand these indicators, we will turn to the Pyramid of Pain. This conceptual model illustrates how difficult it can be for a threat actor to modify a particular IoC once it has been identified and incorporated into threat detection processes. The Pyramid of Pain was created by David J. Bianco and introduced in 2013.
In the following sections, we analyze each type of IoC and explore how it can be used to detect cyber threats as effectively as possible.
Hash values
File hash values are among the easiest indicators for adversaries to change—they can be modified with a minor tweak to a file.
Hashes (MD5, SHA‑1, and SHA‑256) are the most common type of IoC.
Hash values make it possible to reliably determine whether a file is malicious or legitimate (threat actors often employ entirely legitimate tools). As a result, this type of indicator generally produces very few false positives.
However, the sheer volume of hash‑based IoCs makes managing them manually impractical. Instead, organizations should rely on their existing security solutions to automatically detect malicious and potentially malicious files.
The BI.ZONE Threat Intelligence portal features an integration module that enables users to apply IoCs for threat detection both in real time and retrospectively. This allows the identification of both new attacks and compromises that occurred before the relevant indicators became available.
At this point, a reasonable question arises: why use IoCs to detect malicious or potentially malicious files if antivirus or EDR
IP addresses
When it comes to IP addresses as IoCs, it is best to begin with their time to live (TTL). An IP that points to the C2 server of a particular malware sample at a given time may no longer be associated with that server just a few hours later. There are, of course, exceptions. For example, Sticky Werewolf had been using the same IP address for six months.
Unlike a file hash value, an IP does not necessarily remain malicious over time. Therefore, it is crucial to determine whether the address was malicious at the exact time communication with it was detected in your IT infrastructure.
How can you verify this? One way is to establish whether the C2 server has a distinctive signature indicating that the IP address is still serving its malicious purpose. Another is to look for newly discovered malware samples that continue to use the same IP address as their C2 server.
In some cases, legitimate and malicious resources may be hosted on the same IP simultaneously, which can result in false positives. In such cases, it is often useful to monitor not only IP addresses but also the network ports through which malware communicates with its C2 server.
As shown in the image above, the indicator metadata includes the threat name (in this case, Quasar RAT) alongside the port used for communication with the C2 server.
Domain names
Domain names can also form part of the adversary infrastructure. Like the already mentioned IoCs, they are relatively easy for attackers to change.
Unlike IP addresses, a short TTL is less critical for domain names. Threat actors typically register dedicated domains that are rarely repurposed for legitimate use. As a result, these indicators tend to generate relatively few false positives in security solutions.
When using domain names (as well as IP addresses) for threat detection, it is crucial to focus on the source of network communications. This principle also applies to legitimate domains that adversaries abuse. For example, attackers may leverage Discord to exfiltrate stolen data. In such cases, network communications with related domain names initiated by processes other than a messaging client or web browser may indicate malicious activity.
Network and host artifacts
At this level, we are looking at artifacts that take more than simply changing a C2 server or modifying a malware sample. Evading these indicators typically requires adversaries to make more substantial changes, significantly increasing the effort involved.
For example, during a campaign in June 2026, Hoody Hyena used the following user‑agent string when the BrokenDoor malware communicated with its C2 server: Mozilla/5.0 (X11; U; Linux i686; pl; rv:1.8.1) Gecko/20061010 Firefox/2.0. The same string had also been employed by the threat actor during its May campaign. As this example shows, network artifacts have a much longer TTL than the three IoC types described above.
The same principle applies to host artifacts. For example, Rare Werewolf consistently used the console version of the WinRAR archiver, renamed driver.exe, across multiple campaigns. Although C2 server addresses and malicious (and other) file hashes changed over time, this host artifact remained unaltered.
Tools
Adversaries usually rely on a limited set of tools and malware within a campaign—and often across multiple campaigns. Although their arsenal evolves over time, hindering the detection based on the above IoCs, the overall toolkit often retains a unique combination of traits that can be used for identification.
For instance, YARA rules can be leveraged to identify these characteristics in files and, consequently, detect the files themselves.
Today, many EDR solutions support YARA rules. In addition, there are specialized scanners that apply these rules.
Multiple legitimate tools that attackers abuse deserve a special mention.
Threat actors typically do not modify these tools because security solutions already recognize them as legitimate. Instead, attackers often rename them to evade filename‑based detection. However, the metadata embedded in these tools can still be leveraged to identify and detect their use.
Tactics, techniques, and procedures
Adversaries may modify files, alter C2 server addresses, or expand their toolkits. However, they are far less likely to make significant changes to the tactics, techniques, and procedures (TTPs) they employ.
Leveraging insights into attacker TTPs enables organizations to detect malicious activity over a much longer period. In other words, TTPs serve as behavioral IoCs.
For example, Cavalry Werewolf copied the HKLM\SECURITY registry hive through the following command: reg save HKLM\SECURITY “C:\users\public\security.save”. In this case, the detection logic could be based on events where reg.exe is executed with the save parameter and the HKLM\SECURITY registry hive is specified.
Conclusion
Indicators of compromise extend far beyond file hash values and IP addresses. The higher you move up the Pyramid of Pain, the more resilient your threat detection strategy becomes—and the harder it is for adversaries to penetrate your environment. The BI.ZONE Threat Intelligence portal provides up‑to‑date IoCs across all levels of the pyramid, along with the context needed to use them effectively.
In the next article of the series, we will explore how to leverage insights into adversary TTPs for threat hunting.