ExpirationPOSTED BY RYAN TROST
As each day passes, threat intelligence platforms are automatically absorbing hundreds, thousands, or potentially millions of indicators, forcing teams (…and vendors) to quickly define a threat data lifecycle or expiration strategy. This has been a controversial discussion for most of my career from analyst to manager – from firewall rules to IDS signatures and now to indicators. Much like attribution, expiration efforts are very subjective and depend entirely on tools, adversaries, feeds, and the teams’ sanity point between chasing false positives and precautionary due diligence alerts.
Analysts are typically packrats – which makes defining an approach even more so a necessary evil! Unfortunately there is neither a well-defined industry standard on how to expire intelligence, nor do the intelligence providers themselves offer much assistance (at least not in any official capacity). Running a USG SOC in a previous life, we were struggling with the same questions and when I posed it to DHS’ SOC, the quick response was “one year”. At the time, I remembered their response was without hesitation: ”What the hell did they know that I didn’t?!” I inquired as to why one year…and the blank silence followed by visible shoulder shrug re-assured me they didn’t really have any logic behind the answer. I love those superficial definitive dartboard answers…but let’s be honest, at least they had an expiration policy and took a stand.
As ThreatQuotient designed our intelligence scoring and expiration framework (aka depreciation, rate of decay, or my personal favorite “sunsetting”) we needed to take into consideration two types of security organizations: teams with less of an opinion and ones having almost too many opinions. This is where my operational background starts to kick in and we distinguish ourselves from competitors. We realize teams need a variety of options in a roadmap-like maturity model, so we offer a tiered approach (aka crawl, walk, and run) where the feature increases in sophistication as the team feels they’ve mastered each tier. However, before I dive into our strategy let me first set the stage that expiration and indicator scoring are NOT exclusively dependent of each other. I admit when leveraged together they maximize their value but some teams do not have the discipline or capability to manage both immediately out of the gate.
And this exact reason is why ThreatQ molds to a team rather than forcing a team to mold to ThreatQ! </rant>
Expiration Tier I is the “entry-level” strategy taking two critical factors into consideration including Source and Indicator Type. Many current vendor/practitioner methods we see tie expiration to a single parameter [Source], which is fundamentally deficient because it assumes ALL intelligence from a source is created equally…and that simply is not true. By adding Source + Indicator Type it allows teams to take a more authoritative view of their intelligence.
There are five core strategies for wrapping expiration around both Source and Indicator Type including:
1) Why Source? The most important point – all intelligence has a Source! No point having an expiration policy if it only applies to a fraction of the intelligence you’re consuming, or even more important can’t differentiate between where that data has come from.
2) Why Source? Represents the confidence in the Source of the intelligence. [Quick distinction – this DOES NOT represent the intelligence itself because that is the definition of “scoring”]
3) Why Source? Quantity of intelligence – sources generally distribute a consistent amount of intelligence with a minimal standard deviation providing a degree of predictability, which is important.
4) Why Indicator Type? This speaks directly to a team’s local environment as the indicator type determines which tools intelligence is distributed to. This is critical because different tools can consume different volumes of intelligence.
5) Why use both? Taking 2 parameters into consideration is a great first step before opening the floodgates of anything and everything. It is easy to compute, easy to understand/comprehend, and introduces a multi-dimensional capability allowing teams to weight and rank either Source or Indicator Type.
Not every team will need to utilize indicator expiration out of the gate (which is perfectly acceptable) but at some point down the line every team will have to address their intelligence lifecycle to ensure infrastructure hygiene and analyst sanity.
As you can tell our entry-level expiration model is meant to provide a starting point getting the team on the same page before moving on to our more mature models that include scoring, aging algorithms, and machine-learning.