In this conclusion of a two-part series, Director of Product Shimon Modi explains how TruSTAR calculates scores that help analysts determine IoC relevance to their triage process. Check out PART 1 to learn the five most common IoC scoring mistakes.
At TruSTAR our processes are driven by scientific rigor (check out our previous post on Project Balerion) and that is why we openly discuss our approach, as well as the underlying assumptions, to scoring of threat indicators.
Here are the foundational pillars for how TruSTAR calculates scores that help analysts determine IoC applicability to their triage process:
1. Context and relevance starts with the individual: IoC’s from external sources that are present in your internal SIEM alerts or have been observed in historical cases need to be given higher importance. Similarly, TTPs capable of taking advantage of your enterprise’s attack surface should be treated with higher relevance.
2. Rank indicator sources consistently: The most important piece of intelligence today are incidents being analysed and investigated in your peer enterprises. Then comes curated intelligence from closed intel sources, and finally there is open source intelligence. Severity scoring needs to take intel sources into consideration and rank them with different weights.
3. Timing is everything: Not all threat indicators are created equal. Some of them decay over time while others remain active for months. For example, C&C IP addresses are often hard coded into the malware and can give value over time, but it is trivial to change the MD5 of the malware itself. Most security analysts, if not explicitly then at least intuitively, use this heuristic in their overall analysis. The temporal component of IoC’s - when was it first observed, when was it last observed, any periods of dormancy - all of these are valuable attributes and should be reflected in individual IoC severity scores.
4. Relationships matter more than correlations: A set of IoCs correlated through a threat activity says nothing of the causal relationship among them. Exploring relationships between IP addresses and nameservers and MD5 hash and file names provide deep insight into the nature of their relationship. Telling apart causal relationships from correlations is critical.
The ability for an analyst to investigate IoC’s and confidently answer the who, what, where, when, and why of an attack is invaluable. Our platform features like IoC Search and Enclave Tags are extremely useful in helping operators prioritize IoC investigation, and our scoring methodology is aimed at further reducing ambiguity in the triage process. We have designed our scoring methodology with the ultimate objective of increasing the signal to noise ratio and over time reflecting what is relevant to end users.
Interested in learning more about how TruSTAR can help you contextualize your IoCs? Download our Product Sheet.
Click HERE to read Part 1 of our IoC Scoring Series.