IOC Scoring Model

by Shimon Modi

Severity scores are important, and hugely valuable to analysts when calculated in a context-aware way. But we don’t have to settle on black box calculations and secret sauce techniques. This means we need a way of consistently determining IOC severity scores with a high level of confidence.

Here are the foundational pillars for how TruSTAR calculates scores that help analysts determine IOC applicability to their triage process:

1. Context and relevance starts with the individual: IOC’s from external sources that are present in your internal SIEM alerts or have been observed in historical cases need to be given higher importance. Similarly, TTPs capable of taking advantage of your enterprise’s attack surface should be treated with higher relevance.

2. Rank indicator sources consistently: The most important piece of intelligence today are incidents being analysed and investigated in your peer enterprises. Then comes curated intelligence from closed intel sources, and finally there is open source intelligence. Severity scoring needs to take intel sources into consideration and rank them with different weights.

3. Timing is everything: Not all threat indicators are created equal. Some of them decay over time while others remain active for months. For example, C&C IP addresses are often hard coded into the malware and can give value over time, but it is trivial to change the MD5 of the malware itself. Most security analysts, if not explicitly then at least intuitively, use this heuristic in their overall analysis. The temporal component of IOC’s - when was it first observed, when was it last observed, any periods of dormancy - all of these are valuable attributes and should be reflected in individual IOC severity scores.    

4. Relationships matter more than correlations:  A set of IOCs correlated through a threat activity says nothing of the causal relationship among them. Exploring relationships between IP addresses and nameservers and MD5 hash and file names provide deep insight into the nature of their relationship. Telling apart causal relationships from correlations is critical.

On the TruSTAR platform IOCs that are determined to be HIGH PRIORITY by our machine learning models are labeled accordingly and visible when you click on an IOC in the graph view. Our Search results also shows the label of the IOCs.

Graph Visualization View
Search Results View

You can learn more about the underlying machine learning approach in our blog posts here.

How Did We Do?