true
Blog The 5 Most Common Pitfalls of Cyber Threat Indicator Scoring & How to Solve Them [PART 2]

The 5 Most Common Pitfalls of Cyber Threat Indicator Scoring & How to Solve Them [PART 2]

In this conclusion of a two-part series, Director of Product Shimon Modi explains how TruSTAR calculates scores that help analysts determine IoC relevance to their triage process. Check out PART 1 to learn the five most common IoC scoring mistakes.

At TruSTAR our processes are driven by scientific rigor (check out our previous post on Project Balerion) and that is why we openly discuss our approach, as well as the underlying assumptions, to scoring of threat indicators.

 

Here are the foundational pillars for how TruSTAR calculates scores that help analysts determine IoC applicability to their triage process:

1. Context and relevance starts with the individual: IoC’s from external sources that are present in your internal SIEM alerts or have been observed in historical cases need to be given higher importance. Similarly, TTPs capable of taking advantage of your enterprise’s attack surface should be treated with higher relevance.

2. Rank indicator sources consistently: The most important piece of intelligence today are incidents being analysed and investigated in your peer enterprises. Then comes curated intelligence from closed intel sources, and finally there is open source intelligence. Severity scoring needs to take intel sources into consideration and rank them with different weights.

3. Timing is everything: Not all threat indicators are created equal. Some of them decay over time while others remain active for months. For example, C&C IP addresses are often hard coded into the malware and can give value over time, but it is trivial to change the MD5 of the malware itself. Most security analysts, if not explicitly then at least intuitively, use this heuristic in their overall analysis. The temporal component of IoC’s - when was it first observed, when was it last observed, any periods of dormancy - all of these are valuable attributes and should be reflected in individual IoC severity scores.    

4. Relationships matter more than correlations:  A set of IoCs correlated through a threat activity says nothing of the causal relationship among them. Exploring relationships between IP addresses and nameservers and MD5 hash and file names provide deep insight into the nature of their relationship. Telling apart causal relationships from correlations is critical.

 

The ability for an analyst to investigate IoC’s and confidently answer the who, what, where, when, and why of an attack is invaluable. Our platform features like IoC Search and Enclave Tags are extremely useful in helping operators prioritize IoC investigation, and our scoring methodology is aimed at further reducing ambiguity in the triage process. We have designed our scoring methodology with the ultimate objective of increasing the signal to noise ratio and over time reflecting what is relevant to end users.

 

Interested in learning more about how TruSTAR can help you contextualize your IoCs? Download our Product Sheet.

 

Click HERE to read Part 1 of our IoC Scoring Series.

TruSTAR Industry Talks: Scoping Out the Security Space with Darktrace, Trustwave, Bugcrowd and Avast At RSA 2018, TruSTAR co-founder Patrick Coughlin had the opportunity to moderate a series of panels in partnership with The Wall Street Journal and ... Read More
CryptoLocker Deep-Dive: Why We Use Bitcoin Addresses as an IOC Follow the Money: Tracking Adversaries Through the Blockchain WhiteRabbit is an open source research tool we're debuting at Black Hat and DEF CON ... Read More
TruSTAR Industry Talks: State of the Current Threat Landscape with Endgame, Cyber Threat Alliance and Veracode At RSA 2018, TruSTAR co-founder Patrick Coughlin had the opportunity to moderate a series of panels in partnership with The Wall Street Journal and ... Read More
TruSTAR Industry Talks: Securing Digital Transformation with Qualys At RSA 2018, TruSTAR co-founder Patrick Coughlin had the opportunity to moderate a series of panels in partnership with The Wall Street Journal and ... Read More