Can IOCs Impose Cost? The Effects of Publishing Threat Intelligence on Adversary Behavior

Abstract

Exposing intrusion campaigns has become a geopolitical tool, with governments and commercial firms publishing threat intelligence reports about hacking attempts and modus operandi. U.S. government officials have explained this as not just a defensive practice but also as a way to ‘impose cost’ on attackers by forcing them to develop new infrastructure, tools, and techniques, consuming their scarce resources. We empirically examine this claim by analyzing attacker behavior before and after the publication of indicators of compromise (IOCs). Using IOC feeds from two leading commercial providers – deemed to best enable detection of sophisticated threats – we matched IOCs against a large dataset of real-world network traffic metadata. This enabled us to generate sightings retroactively, capturing malicious activity up to 150 days before and after publication. Unlike prior work focused on post-publication malicious activity, our method provides a more complete view over time. Our results show that most IOCs point to resources that attackers had already abandoned by the time of IOC publication, limiting their utility for detecting ongoing attacks and undermining the idea of ‘imposing costs’. Statistical modeling further reveals that publication status has low explanatory power for sightings, suggesting that confounding variables exist. We also observed a 30-day delay between the peak of threat actor activity and IOC publication for one provider. This study is the first empirical assessment linking threat intelligence publication to attacker behavior, bridging computer science and international relations.