Aging Intelligence Tier II – Maturing Deprecation & Scoring


The next evolution of deprecation and scoring is developing several advanced “aging” algorithms.  This provides analysts the next phase of control to be applied to their intelligence so each piece can live out its lifecycle based on it’s own destiny.  The Tier I expiration model (which purposely does NOT rely on score) utilizes a standard linear approach, however, for larger more advanced teams applying a standard linear decay across all intelligence is too inflexible/rigid because not all intelligence is created equal and each requires a various rate of decay.


The TQ Aging algorithms are mathematically driven coefficients to determine the rate of deterioration including:

a) Linear – a uniform rate of decay as indicated by the orange line in the graphic.  The intelligence that falls into this category is typically deemed ‘middle of the road’.

b) Exponential – described as a high rate of decay where the threat against the company is reduced dramatically over a short amount of time and then slows down over time.  I tend to categorize this as open source intelligence where even the bad guys monitor it to determine when they have been discovered and their probability of success exponentially decreases.  A handful of high volume feeds also fit under this umbrella where the legitimacy/focal point of the intelligence is meant to be operational for hours or days maximum.

c) Logarithmic – very similar to the exponential aging with an initial high rate of decay but the rate tapers off slightly to keep it “relevant” for a longer period of time.

d) Non-expiring – some threat intelligence should never expire regardless of score or activity.  For instance, will always be malicious so although it might not pose an immediate threat, history shows it will always be a threat.  In a previous DIB life we would set intelligence associated with certain adversaries to non-expiring because we knew at some point they would re-use that infrastructure.

e) Reverse Exponential – for intelligence that is likely to be relevant for a longer period of time.  Information provided by commercial feeds, ISAC consortiums, internal intelligence collection or gleaned from smaller private fight club sharing communities will likely fit this paradigm.


Pretty cool huh?!  The next big question is what element of intelligence is aging tied to?!  In TQ the aging framework is associated to the SOURCE of the intelligence because that largely dictates the longevity of the intelligence.  
In my operational experience, internal research, secret fight clubs, and commercial feeds yield a higher shelf life than open source feeds for obvious reasons.  The key to a successful aging approach is keeping it simplistic, reliable, relatively predictable, easy to re-adjust (when needed), and most importantly ensure it can be applied to ALL intelligence.  Analysts may want to define a highly complex aging approach with PhD-level mathematics, dozen switches and hundreds of possible permutations…huge mistake.  This is one of those situations where simple is graceful and elegant…and an aging picture is worth team understanding!


Blog Archive

About ThreatQuotient™

ThreatQuotient™ understands that the foundation of intelligence-driven security is people. The company’s open and extensible threat intelligence platform, ThreatQ™, empowers security teams with the context, customization and prioritization needed to make better decisions, accelerate detection and response and advance team collaboration.
Share This