Managing Indicator Deprecation in ThreatConnect
1 like464 views
The document discusses managing indicator deprecation in ThreatConnect. It explains that indicator deprecation is a system for automatically lowering an indicator's confidence rating over time based on configurable rules. This helps reflect an indicator's staleness and can automatically delete old indicators. The document provides examples of setting deprecation rules for different indicator types and sources, and best practices used by ThreatConnect's research team.
Managing Indicator Deprecation in ThreatConnect
- 1. SPRING CLEANING Managing Indicator Deprecation in ThreatConnect Alex Valdivia ThreatConnect Research Team March 21, 2017
- 2. © 2017 ThreatConnect, Inc. All Rights Reserved. Google Image Search: Roomba Time Lapse
- 3. © 2017 ThreatConnect, Inc. All Rights Reserved. Table of Contents Threat Ratings, Confidence, and Deprecation • Threat and Confidence Ratings • Indicator Deprecation Why? • 3 Reasons for Indicator Deprecation • Scenario: VXVault Source How? • Deprecation Rule Configuration • Deprecation Rule Approaches • Additional Considerations and Best Practices Resources Questions 3
- 4. © 2017 ThreatConnect, Inc. All Rights Reserved. Threat Ratings, Confidence, and Deprecation 4
- 5. © 2017 ThreatConnect, Inc. All Rights Reserved. Threat and Confidence Ratings Threat Ratings • Threat Level of Indicator • Scale of 0-5 Skulls Confidence Ratings • Confidence in Threat Rating • Percentage scale of 0-100
- 6. © 2017 ThreatConnect, Inc. All Rights Reserved. Threat Rating Best Practices Threat Rating Factors 1. Capability 2. Determination 3. Progression Threat Rating Scale 0 Skulls Unknown 1 Skull Suspicious 2 Skulls Low 3 Skulls Moderate 4 Skulls High 5 Skulls Critical 6 Blog: https://www.threatconnect.com/blog/best-practices-indicator-rating-and-confidence/
- 7. © 2017 ThreatConnect, Inc. All Rights Reserved. Confidence Rating Best Practices Confidence Rating Factors 1. Confirmation 2. Plausibility 3. Consistency Confidence Rating Scale 0 Unknown 1 Discredited 2-29 Improbable 30-49 Doubtful 50-69 Possible 70-89 Probable 90-100 Confirmed 7 Blog: https://www.threatconnect.com/blog/best-practices-indicator-rating-and-confidence/
- 8. © 2017 ThreatConnect, Inc. All Rights Reserved. Indicator Deprecation • System for automatically lowering confidence rating of indicators over time. • Does not affect threat rating. • Rules customizable by indicator type. • Enabled at Org, Source, and Community level. • Requires Org Admin or Director role. Interval: 10 Days Confidence Amount: 10
- 9. © 2017 ThreatConnect, Inc. All Rights Reserved. But Why? 9
- 10. © 2017 ThreatConnect, Inc. All Rights Reserved. 3 Reasons for Indicator Deprecation 1. Lower confidence to reflect indicator’s “staleness” 2. Automatically delete indicators you no longer care about 3. Your analysts don’t know about this feature and you want them to think they’re slowly losing their minds 10
- 11. © 2017 ThreatConnect, Inc. All Rights Reserved. Scenario: VXVault Source 11 ● Open Source URL Feed ● 100 URLs per Day ● Default Rating: 3 Skulls ● Default Confidence: 80%
- 12. © 2017 ThreatConnect, Inc. All Rights Reserved. Scenario: VXVault Source - No Deprecation 12 Day 1 100 URLs Day 2 200 URLs New URL Old URL Day 90 9K URLs
- 13. © 2017 ThreatConnect, Inc. All Rights Reserved. Scenario: VXVault Source - With Deprecation 13 Day 1 100 URLs Day 2 200 URLs Day 90 9K URLs X X X X X
- 14. © 2017 ThreatConnect, Inc. All Rights Reserved. But How? 14
- 15. © 2017 ThreatConnect, Inc. All Rights Reserved. Deprecation Rule Configuration - Org 15
- 16. © 2017 ThreatConnect, Inc. All Rights Reserved. Deprecation Rule Configuration - Source/Community 16
- 17. © 2017 ThreatConnect, Inc. All Rights Reserved. Deprecation Rule Configuration ● Indicator Type ○ 10 Types ● Interval ○ Days ● Confidence Amount ○ 1-100 ● Percentage ○ Based on current confidence rating ● Recurring ● Delete At Minimum (Zero) ● Update Chart Upon Deletion 17
- 18. © 2017 ThreatConnect, Inc. All Rights Reserved. Deprecation Rule Approaches Arbitrary Starting Confidence - Control Deprecation Rate • Appropriate for manually created indicators, indicators shared by other users. • I want to lower the confidence of Hosts by 10 every 10 days, and delete when confidence reaches zero. Known Starting Confidence - Control Timing of Confidence Changes, Deletions • Appropriate for ThreatConnect Sources, HTTP Scraper, TAXII, API Integrations. • I want URL indicators to be deleted in 60 days. • I want the confidence of IP Addresses to change from Probable to Possible in 10 days. 18
- 19. © 2017 ThreatConnect, Inc. All Rights Reserved. Deprecation Rules: Additional Considerations Not All Indicators Are Created Equal • URLs vs IP Addresses vs Domains • Pyramid of Pain...ish Not All Feeds Are Created Equal • Malware Domain Feed • Phishing URL Feed • Scanning IP Feed 19 SlowerDeprecation FasterDeprecation No Deprecation >
- 20. © 2017 ThreatConnect, Inc. All Rights Reserved. Deprecation Rules: Research Team Best Practices 20 Indicator Types Probable > Possible Deletion Interval (Days) Deprecation Amount Address, ASN, CIDR 55 days Yes 11 6 URL, Host 110 days No 11 3 Email Address 225 days No 30 4 File, Mutex, Registry Key, User Agent N/A N/A N/A N/A Our team commonly uses the settings below for deprecation rules in ThreatConnect sources collecting data from open source feeds. Do keep in mind, this is not a one-size-fits-all solution!
- 21. © 2017 ThreatConnect, Inc. All Rights Reserved. Resources ● ThreatConnect Blog: Best Practices: Indicator Rating and Confidence ● ThreatConnect KnowledgeBase: Configuring Indicator Confidence Deprecation ● This slide deck! ● ThreatConnect Customer Success Representative 21
- 22. © 2017 ThreatConnect, Inc. All Rights Reserved. Thank You THREATCONNECT.COM