IoC feeds have become a staple for cybersecurity teams, offering blacklists of IP addresses to block malicious activity. At first glance, they seem like a no-brainer: plug them in, block the bad actors, and you’re safe, right? Unfortunately, the reality isn’t so simple. These feeds often lack the accuracy needed for effective threat mitigation and can even do more harm than good. 

In this post, we’ll share our analysis of some of the most widely used IoC feeds and show why they shouldn’t be used without automated updates and rigorous validation. The risks of blindly trusting these feeds range from blocking legitimate services to flooding your IT team with false positives—and, in the worst cases, disrupting critical business operations. 

Methods 

Veriti has two main modules to analyze an indicator – an ML algorithm that takes the entire organization structure, logs, applications, policies, assets and vulnerabilities and by using multiple data sources from the organization itself, determines if a False-Positive is found. 

The common method is to use an external intelligence source to validate an IoC. In the research results below you will see an analysis using external intelligence sources as a demonstration of the challenge that is presented. 

We analyzed 21215 unique IPs (spanning 832077 hits over a 15-day period) from 41 popular IoC feeds to see how well they hold up against popular IoCs Reputation services (such as AbuseIPdb, VirusTotal, major security vendors intelligence services and others). For IP Reputation, IPs with Abuse Confidence Score above 40%, 11 security vendors that stated they are malicious and Total Reports above 10 were classified as malicious. IPs with zero Abuse Confidence Score and Total Reports below 10 were classified as benign. Also, specifically for VirusTotal, IPs flagged as malicious by more than 11 vendors were classified as malicious, while those reported as harmless by more than 11 vendors and without any malicious reports were classified as benign. For all IPs that were checked, we have analyzed the related indicators to them – if there is no related indicator OR a no score above 11 vendors OR no security vendor verdict related to a malware campaign – we have classified it as benign. 

The Numbers Don’t Lie 

• Malicious IPs: 76.9% (16315 IPs) were flagged as malicious, generating 445059 hits (53.5% of the total hits). 

• Benign IPs: 3.2% (687 IPs) were flagged as benign, generating 295593 (35.5% of the total hits). 

• The remaining IPs could not be determined by the current method. 

Now, you might think, “3.2% benign IPs doesn’t sound like a lot”. But here’s the kicker: benign IPs tend to generate an outsized number of hits. This means even a small percentage of benign IPs can wreak havoc by flooding your system with false positives. For example, one feed included 11 IPs, 6 of which were classified as benign. Those 6 IPs alone generated 26974 hits – all false positives. In another feed, 4 benign IPs were responsible for 4900 hits. 

And these aren’t just any benign IPs. Many of them are associated with major services like Google, AWS, Microsoft, and even security and telecommunication providers. Blocking these IPs can lead to catastrophic interruptions in business continuity, such as cutting off access to cloud services, email systems, or even critical security tools.  

It’s not just isolated incidents – legitimate IPs are often blocked by multiple feeds. For example, five separate feeds flagged 208.67.222.222, an IP associated with Cisco Umbrella. Blocking such an IP doesn’t just affect individual users; it can cripple access to critical security component, such as this intelligence service of CISCO (under the umbrella product), which is being blocked, causing a disruption in the product’s use for cyber defense. 

Real-world Examples of Benign IPs 

Blocking benign IPs doesn’t just generate unnecessary logs—it can have real consequences for businesses and end-users. Here are some examples of benign IPs we identified, along with the potential disruptions caused by blocking them: 

1. 35.207.36.42: Registered to Google Cloud (GCP). 

Impact: Blocking it could disrupt access to websites, APIs or other applications hosted on GCP, affecting a wide range of businesses relying on Google’s cloud services. 

1. 205.251.193.162, 205.251.194.154, 205.251.198.61, 205.251.197.26: Associated with Amazon CloudFront, a content delivery network (CDN) provided by Amazon Web Services (AWS). Specifically, this resource is related to Shareaholic which uses AWS to efficiently deliver its content. 

Impact: Blocking these IPs could disrupt the delivery of websites, images, videos, APIs, and other web content served through CloudFront, leading to slower performance or broken functionality for end-users. In February 2022, Shareaholic, a content amplification platform, reported that their AWS CloudFront CDN domain was being blocked by Malwarebytes, a security software. This blockage prevented users from accessing their website’s assets, such as stylesheets and images. After review, Malwarebytes determined that the block was a false positive and subsequently removed it. 

1. 5.180.208.203: Associated with PacketHub, a company specializing in IT security, network infrastructure, cloud, and managed services. 

Impact: Blocking this IP could hinder security controls, disrupt managed network or VPN connections, and impair access to cloud-hosted applications provided by PacketHub. 

Figure 1: Distribution of IoCs Classification (Venn) 

Lessons Learned: Use IoC Feeds with Caution 

IoC feeds can be a powerful tool, but they’re far from perfect. Our analysis shows that they often include benign IPs that should never have been flagged in the first place. Relying on these feeds without validation or automated updates can result in wasted resources, overwhelmed IT teams, and worst of all, blocked services that are vital to your business. 

To make the most of IoC feeds: 

1. Validate Before You Block: Use reputation databases cross-check IoCs. 

1. Automate Updates: Stale data can turn good feeds bad. Regular updates are non-negotiable. 

1. Automate and remediate the false-positive: Use automation to locate the false positive and, more importantly, remove them from the feeds. 

1. Automate removal of IoCs: A removal process is important as it acts as an enforcement one. By automatically removing a malicious IoC after X days, you can reduce the risk of it becoming benign and impacting your business continuity. 

In cybersecurity, accuracy is everything. Don’t let bad data do more harm than the threats you’re trying to stop.