managing indicator deprecation in threatconnect
TRANSCRIPT
SPRING CLEANINGManaging Indicator Deprecation in ThreatConnect
Alex ValdiviaThreatConnect Research TeamMarch 21, 2017
© 2017 ThreatConnect, Inc. All Rights Reserved.
Google Image Search: Roomba Time Lapse
© 2017 ThreatConnect, Inc. All Rights Reserved.
Table of Contents
Threat Ratings, Confidence, and Deprecation• Threat and Confidence Ratings
• Indicator Deprecation
Why?• 3 Reasons for Indicator Deprecation
• Scenario: VXVault Source
How?• Deprecation Rule Configuration
• Deprecation Rule Approaches
• Additional Considerations and Best Practices
Resources
Questions
3
© 2017 ThreatConnect, Inc. All Rights Reserved.
Threat Ratings, Confidence, and Deprecation
4
© 2017 ThreatConnect, Inc. All Rights Reserved.
Threat and Confidence Ratings
Threat Ratings
• Threat Level of Indicator• Scale of 0-5 Skulls
Confidence Ratings
• Confidence in Threat Rating• Percentage scale of 0-100
© 2017 ThreatConnect, Inc. All Rights Reserved.
Threat Rating Best Practices
Threat Rating Factors
1. Capability2. Determination3. Progression
Threat Rating Scale
0 Skulls Unknown1 Skull Suspicious2 Skulls Low3 Skulls Moderate4 Skulls High5 Skulls Critical
6
Blog: https://www.threatconnect.com/blog/best-practices-indicator-rating-and-confidence/
© 2017 ThreatConnect, Inc. All Rights Reserved.
Confidence Rating Best Practices
Confidence Rating Factors
1. Confirmation2. Plausibility3. Consistency
Confidence Rating Scale
0 Unknown 1 Discredited 2-29 Improbable30-49 Doubtful50-69 Possible70-89 Probable90-100 Confirmed
7
Blog: https://www.threatconnect.com/blog/best-practices-indicator-rating-and-confidence/
© 2017 ThreatConnect, Inc. All Rights Reserved.
Indicator Deprecation
• System for automatically lowering confidence rating of indicators over time.
• Does not affect threat rating.
• Rules customizable by indicator type.
• Enabled at Org, Source, and Community level.
• Requires Org Admin or Director role. Interval: 10 Days Confidence Amount: 10
© 2017 ThreatConnect, Inc. All Rights Reserved.
But Why?
9
© 2017 ThreatConnect, Inc. All Rights Reserved.
3 Reasons for Indicator Deprecation
1. Lower confidence to reflect indicator’s “staleness”
2. Automatically delete indicators you no longer care about
3. Your analysts don’t know about this feature and you want them to think they’re slowly losing their minds
10
© 2017 ThreatConnect, Inc. All Rights Reserved.
Scenario: VXVault Source
11
● Open Source URL Feed● 100 URLs per Day● Default Rating: 3 Skulls● Default Confidence: 80%
© 2017 ThreatConnect, Inc. All Rights Reserved.
Scenario: VXVault Source - No Deprecation
12
Day 1
100 URLs
Day 2
200 URLs
New URL
Old URLDay 90
9K URLs
© 2017 ThreatConnect, Inc. All Rights Reserved.
Scenario: VXVault Source - With Deprecation
13
Day 1
100 URLs
Day 2
200 URLs
Day 90
9K URLs
XXX
XX
© 2017 ThreatConnect, Inc. All Rights Reserved.
But How?
14
© 2017 ThreatConnect, Inc. All Rights Reserved.
Deprecation Rule Configuration - Org
15
© 2017 ThreatConnect, Inc. All Rights Reserved.
Deprecation Rule Configuration - Source/Community
16
© 2017 ThreatConnect, Inc. All Rights Reserved.
Deprecation RuleConfiguration
● Indicator Type○ 10 Types
● Interval○ Days
● Confidence Amount○ 1-100
● Percentage○ Based on current
confidence rating● Recurring● Delete At Minimum (Zero)● Update Chart Upon Deletion
17
© 2017 ThreatConnect, Inc. All Rights Reserved.
Deprecation Rule Approaches
Arbitrary Starting Confidence - Control Deprecation Rate• Appropriate for manually created indicators, indicators shared by other users.• I want to lower the confidence of Hosts by 10 every 10 days, and delete when
confidence reaches zero.
Known Starting Confidence - Control Timing of Confidence Changes, Deletions• Appropriate for ThreatConnect Sources, HTTP Scraper, TAXII, API Integrations.• I want URL indicators to be deleted in 60 days.• I want the confidence of IP Addresses to change from Probable to Possible in
10 days.
18
© 2017 ThreatConnect, Inc. All Rights Reserved.
Deprecation Rules: Additional Considerations
Not All Indicators Are Created Equal• URLs vs IP Addresses vs Domains• Pyramid of Pain...ish
Not All Feeds Are Created Equal• Malware Domain Feed• Phishing URL Feed• Scanning IP Feed
19
Slow
er D
epre
catio
n
Fast
er D
epre
catio
n
No Deprecation >
© 2017 ThreatConnect, Inc. All Rights Reserved.
Deprecation Rules: Research Team Best Practices
20
Indicator Types
Probable > Possible
Deletion Interval (Days) Deprecation Amount
Address, ASN, CIDR
55 days Yes 11 6
URL, Host 110 days No 11 3
Email Address 225 days No 30 4
File, Mutex, Registry Key, User
Agent
N/A N/A N/A N/A
Our team commonly uses the settings below for deprecation rules in ThreatConnect sources collecting data from open source feeds. Do keep in mind, this is not a one-size-fits-all solution!
© 2017 ThreatConnect, Inc. All Rights Reserved.
Resources
● ThreatConnect Blog: Best Practices: Indicator Rating and Confidence
● ThreatConnect KnowledgeBase: Configuring Indicator Confidence Deprecation
● This slide deck!
● ThreatConnect Customer Success Representative
21
© 2017 ThreatConnect, Inc. All Rights Reserved.
Thank YouTHREATCONNECT.COM