Defenders need to rethink how effective indicators of compromise are in detecting attacks. The premise behind IOCs - that attackers reuse tools and the observable indicators are preserved - is false. At best, IOCs will lead to detecting individual components of an attack instead of revealing the entire operation.
Attackers are much more savvy and skilled at evading detection. They realized they could tweak their tools with minimal effort and sneak past traditional security tools. Change the signature on a malware program and it appears new, allowing it to get by an antivirus program. Use a domain generation algorithm to create an endless supply of IP addresses that won’t blocked by firewalls.
And companies are already facing these attacks, according to Cybereason's Threat Insights Report. Almost half of the confirmed malicious activity experienced by Cybereason’s customers in the first half of 2016 was carried out using attack mechanisms that constantly mutated, including changing hashes, IP addresses and domains. With these new-to-the world techniques becoming more prevalent, IOCs are significantly less effective at detection and response.