I have been previously assigned with vague incident responses, such as an electronic bank theft, where the only thing they knew is that the money ended up in Russia. I had to sort through gigabytes of traffic a day. If I had a list of 876 IP addresses to begin the search with, I would think I was blessed.
The JAR is by no means a perfect document. It did not in any way attempt to prove Russia as the perpetrator of the hacks in question. The IOCs provided are not definitive indicators that you have been compromised. The instructions of how to use the JAR effectively were not very clear. To actually effectively use the IOCs provided is time consuming. Clearly, even experienced security professionals aren’t aware of the intended use.
However, there is the potential to identify and stop attacks in progress. The Burlington Electric incident demonstrates it can be used to identify malware. The Wordfence study demonstrates that the systems identified clearly present an imminent threat to organizations. Every security manager should read the JAR and determine if and how they should use it for their organization’s threat hunting efforts.
The security profession is plagued by being contrarian by default. While skepticism is good, it must not be at the expense of extracting value.
Sign up for CIO Asia eNewsletters.