The Pyramid of Pain reminds us that some indicators are harder for adversaries to change than others. IPs sit low on that pyramid because the availability of cloud and proxy services makes it relatively easy for threat actors to migrate. Moreover, without context around timing or usage, IP addresses alone often provide less context than a file hash.
Figure 1: The Jamie Williams Pyramid of Pain variant
For years, I’ve heard the same refrain from fellow researchers: “IP addresses aren’t great IOCs [indicators of compromise].” And while that’s not wrong, it’s not the whole story either. IPs can be powerful signals, however, they’re often mishandled and shared stripped of context. To be truly actionable, an IP needs timing and behavioral detail. When did it come online? What did it serve, and how did it respond? And what can we learn from other services running on the host to add context?
But far too often, indicator feeds are full of stale IPs—ones that were active months before they were ever added to a blocklist. By then, the threat actor has moved on, and defenders are blocking empty space.
That’s what we’re working to fix.
Timely and actionable information
As part of our new Threat module, Censys is focused on delivering timely, actionable and context rich information about threats. Over the past few months, I’ve been tracking a part of BeaverTail deployments used to serve the InvisibleFerret malware in a Collection in the Censys Platform – shown below:
Image 1: BeaverTail collection activity timeline
In this collection, I can see when infrastructure came online, how long it was active, and when it disappeared. This reduces the effort needed to track IPs, and makes it more feasible to include them in analyses.
Anyone can offer a threat intel feed, but that’s not what we’re building. We’re building a system that helps defenders understand when an indicator mattered, not just that it existed. An indicator without context is just noise, and we’re done with stale.
… and we’re going to continue to further enrich threat data with Actor Profiles, available exclusively as a module in the new Censys Platform. Actor Profiles are maintained by Censys Research and also incorporate Malpedia and MITRE standards to ensure profiles remain fresh and actionable.
