DeepSec 2025 Talk: Predicting IOCs with Historical Analysis – Josh Pyorre
What does looking at the history of malware, threat actors, and related network infrastructure tell us about the future? Are there unexpected connections to be found to help us not only find attribution, but potentially discover what to block, what to watch out for, and even predict where the next threat will be?
Through the analysis of historical data of various malware variants, focusing primarily on ransomware, I will show the relationships of infrastructure and other indicators of compromise in an attempt to develop a mechanism for predicting how and where future threats might operate. This presentation will discuss the methods of collecting data and finding connections, and will help the attendees apply these results to their threat modeling and mitigation practices.
We asked Josh a few more questions about his talk.
Please tell us the top 5 facts about your talk.
This talk focuses on moving beyond attribution and works towards predicting what might happen next by looking at known malicious IOC infrastructure reuse.
Incident response is stuck in a reactive cycle of ‘putting out fires’. The output of my presentation has the potential to provide space for researchers and incident responders that can be used to anticipate threats.
Threat actors are people too, and like us, they can be lazy and reuse things, like variable names, usernames, and more. Malicious infrastructure reuse occurs more frequently than expected. The analysis of historical IOCs like domains, CIDRs, and ASNs can be used to build a network of infrastructure reuse to provide predictive signals when suspicious indicators appear in a network.
I’ll introduce a new system (as a website and API) that builds a relationship graph of known malicious IOCs. You can query this graph to help you go beyond ingesting and using IOC feeds to find hidden or evolving threats.
The API I’ve built can accept requests to check suspicious IOCs against the graph and receive determinations based on CIDR mapping, domain similarity, ASN location, and more, turning prediction into actionable detection. I plan to have it running and available by the time of the talk, and will also provide the code for anyone who wants to run it locally.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
I love attribution in threat research, but even more than that, I love trying to figure out what’s going to happen next. For a long time, I’ve been thinking about how one could correlate cyber-incidents with real-world and geopolitical incidents as a method to predict what we might need to look out for. Although guessing the next ransomware or new malware based on a nation state’s political action is still a bit of a reach, analyzing malicious infrastructure reuse seems possible to predict when a suspicious IOC is seen in a network.
Why do you think this is an important topic?
Having worked in security for 25 years, I’m frustrated by our constant reactive stance. Threat hunting is my passion because it allows us to predict threats instead of just responding to them. While the ATT&CK matrix tracks and attributes existing threats, there isn’t a comparable system for prediction. I’m building this system to transform threat hunting from passive IOC feed ingestion into active prediction, giving incident responders a tool to identify emerging threats before they fully materialize.
Is there something you want everybody to know – some good advice for our readers maybe?
The results of my research for this presentation is still in progress. I will likely be working on it still in the hotel lobby just before going up to talk about it. I would love to collaborate and welcome ideas. Please come chat with me if interested!
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
To collect data, I had to use three external sources. One source provides free API access, and the other two require paid accounts. These services that require subscriptions are costly and generally beyond an individual’s ability to pay for them. I think as valuable and useful services become more popular; they end up monetized and pricing researchers out. However, I think as we researchers continue to build and create, and with the help of LLMs, we have the ability to build open source services that can compete with the gatekeepers of the security research world. I think we will see more people and organizations fighting back against this frustration, building tools that will help our fellow researchers and will continue the real mission of securing everyone, even those who cannot pay for it.
Josh Pyorre is a Security Research Engineering Technical Leader with Cisco Talos, and additionally conducts research on his own. He has been in security since 2000, working as a threat hunter, researcher, and analyst at Cisco, NASA, and Mandiant, and as a principal product manager for advanced threat protection at ZScaler.
Josh has presented at conferences such as DEFCON, RSA, DragonCon, B-Sides, Source, Derbycon, InfoSecurity, DeepSec, Qubit, and at various companies and government organizations. He was also the host and producer of the security podcast, ‘Root Access’. His professional interests involve network, computer, and data security with a goal of maintaining and improving the security of as many systems and networks as possible.