Decaying Indicators of Compromise
This work addresses the problem of managing outdated IoCs for cybersecurity professionals, but it is incremental as it builds on existing threat intelligence sharing platforms.
The paper tackles the challenge of processing volatile indicators of compromise (IoCs) by implementing a generic scoring model in the MISP platform to decay IoCs based on shared meta-information, facilitating automated decision-making on their validity for incident response.
The steady increase in the volume of indicators of compromise (IoC) as well as their volatile nature makes their processing challenging. Once compromised infrastructures are cleaned up, threat actors are moving to on to other target infrastructures or simply changing attack strategies. To ease the evaluation of IoCs as well as to harness the combined analysis capabilities, threat intelligence sharing platforms were introduced in order to foster collaboration on a community level. In this paper, the open-source threat intelligence platform MISP is used to implement and showcase a generic scoring model for decaying IoCs shared within MISP communities matching their heterogeneous objectives. The model takes into account existing meta-information shared along with indicators of compromise,facilitating the decision making process for machines in regards to the validity of the shared indicator of compromise. The model is applied on common use-cases that are normally encountered during incident response.