12/10/2022
From time to time when researching product ideas and hypotheses, our team develops prototypes. We have an opinion that some of them could be useful to the cybersecurity community. Today we want to share a model for ranking indicators of compromise that we implemented based on the study “Scoring model for IoCs by combining open intelligence feeds to reduce false positives” by the University of Amsterdam. This model solves one of the key tasks of threat intelligence: ranking indicators of compromise according to a number of parameters in order to distinguish among them the most dangerous and narrow the focus of the search for threats.
The model operates with sufficiently clear parameters (coefficients), which are used in the calculation:
- Extensiveness is a measure of the number of interrelationships between indicators of compromise and other indicators and contexts.
- Timeliness is a measure of the speed with which a source provides data compared to other sources.
- Completeness – the completeness of the data in the source relative to the total data set of all sources.
In addition to these parameters, there is an additional coefficient to take into account the inclusion of IoCs in lists of known non-malicious resources, a decay coefficient to adjust the rate of rating obsolescence and coefficient weights, with which you can adapt the model to your needs. The model seems very flexible and extensible – it is easy enough to add your own coefficients. The model can be seen as an academic project, or it can be bolted onto your own TI management system in order to calculate the reputation of indicators of compromise in it and based on the evaluations make decisions about further actions with IoCs.
Feel free to contact us for a trial version of Defensys Threat Intelligence Platfrom to test all the needed capabilities to do your own TI inside your organization.