Scoring model for IoCs by combining open intelligence feeds to - - PowerPoint PPT Presentation

scoring model for iocs by combining open intelligence
SMART_READER_LITE
LIVE PREVIEW

Scoring model for IoCs by combining open intelligence feeds to - - PowerPoint PPT Presentation

Dec 27, 2023 49 likes •351 views

Scoring model for IoCs by combining open intelligence feeds to reduce false positives Authors: Supervisors: Joao de Novais Marques Jelle Ermerins Leandro Velasco Niek van Noort 1 Introduction Indicators of Compromise (IoCs) identify

slide-1
SLIDE 1

Scoring model for IoCs by combining open intelligence feeds to reduce false positives

Authors: Jelle Ermerins Niek van Noort Supervisors:

Joao de Novais Marques

Leandro Velasco

1

slide-2
SLIDE 2

Introduction

Indicators of Compromise (IoCs) identify possible threats The problem is false positives Several intelligence feeds available online Design a scoring model to reduce false positives

Example of an indicator of compromise (source: AbuseIPDB)

2

slide-3
SLIDE 3

Example of an intelligence feed

3

slide-4
SLIDE 4

4

slide-5
SLIDE 5

Related work

A scoring model was designed by researchers from CIRCL (Luxembourg)

  • Using a decay rate
  • The score of an IoC decays over time

5

  • T. Schaberreiter et al. designed another scoring model
  • Comparing different sources
  • Using features like extensiveness, timeliness, completeness

No research on dependency between intelligence feeds No practical research

slide-6
SLIDE 6

Research questions (Challenges of designing the scoring model)

How can we use multiple open intelligence feeds in a scoring model to determine the quality of IoCs?

6

How independent are different intelligence feeds from each other? How do we make the model time dependent? How do we decide if we can trust an intelligence feed? How do we calculate one score from multiple feeds with different levels of trust?

slide-7
SLIDE 7

How independent are different intelligence feeds from each

  • ther?

7

slide-8
SLIDE 8

Independence and overlap of feeds

Overlap is important But intelligence feeds need to be independent Used intelligence feeds:

  • AbuseIPDB
  • Binary Defense Banlist
  • C&C Tracker
  • Cyber Cure

8

slide-9
SLIDE 9

Overlap matrix of the intelligence feeds

9

slide-10
SLIDE 10

Overlap matrix, where difference in first sighting is smaller than a day

10

slide-11
SLIDE 11

How do we make the model time dependent?

11

slide-12
SLIDE 12

Decay time

IoC will lose value over time when it hasn’t been seen

Decay function with different 𝛆 parameter values and a fixed 𝛖 value of 100

12

slide-13
SLIDE 13

How do we decide if we can trust an intelligence feed?

13

slide-14
SLIDE 14

Source confidence

Quality of the source based on some features Extensiveness Timeliness Completeness Whitelist Overlap Score

14

slide-15
SLIDE 15

Extensiveness

How many properties does the intelligence feed provide?

15

Feed A:

  • IP:

5.79.79.212

  • Last seen:

2020-02-01 11:03

  • Extra info:

IP used by banjori C&C Feed B:

  • IP:

1.1.209.45 High Extensiveness Low Extensiveness

slide-16
SLIDE 16

Timeliness

How fast is the intelligence feed?

16

IoC in fastest feed IoC in feed S

slide-17
SLIDE 17

Completeness

How many IoCs does the feed provide? Trustworthy small scale feeds could be disadvantaged!

17

slide-18
SLIDE 18

Whitelist Overlap Score

Does the feed have overlap with a whitelist?

18

slide-19
SLIDE 19

Whitelist Overlap Score

19

Whitelist overlap score of our feeds. (⍴ = 0.1) Whitelist overlap percentage

slide-20
SLIDE 20

The Source Confidence

20

Weighted mean of: Weight:

  • Extensiveness

0.8

  • Timeliness

0.6

  • Completeness

0.0

  • Whitelist Overlap Score

1.0

slide-21
SLIDE 21

How do we calculate one score from multiple feeds with different levels of trust?

21

slide-22
SLIDE 22

Final Score Calculation

22

Disadvantage: Each intelligence feed has the same amount of influence on the final score. Advantage: The source confidence is still useful when an IoC is found in one feed only.

slide-23
SLIDE 23

Final Score Calculation

23

Disadvantage: The source confidence is useless when an IoC is found in one feed only: Advantage: The source confidence works as a weight on the final score per feed.

slide-24
SLIDE 24

Final Score Calculation

24

Solution: Combine the two previous functions: A square has been added We have both advantages:

slide-25
SLIDE 25

The scoring model

25

slide-26
SLIDE 26

The scoring model

26

slide-27
SLIDE 27

How can we use intelligence feeds in a scoring model to determine the quality of IoCs?

27

slide-28
SLIDE 28

Conclusion

How do we decide if we can trust an intelligence feed? Trust based on extensiveness, timeliness, completeness and whitelist correlation

28

How do we make the model time dependent? Decay rate How do we calculate one score from multiple feeds with different levels of trust? Source confidence as weight for the feed And also as part of the IoC score itself How independent are different intelligence feeds from each other? The feeds are independent We want more independent feeds with overlap

slide-29
SLIDE 29

Future work

Parameter optimization Other characteristics for the source confidence Other intelligence feeds Scoring whitelists

29

slide-30
SLIDE 30

Thank you!

And special thanks to:

Joao de Novais Marques

Leandro Velasco

30