Security Experts:

Your Threat Intelligence Has a Shelf Life

Smart refrigerators can monitor your food and alert you when it is about to expire. There are apps that do this as well, keeping track of food freshness using a database to predict expiration dates. These are great ways to help make sure you use food before it goes bad, and avoid getting sick by consuming something that’s past its shelf life.  

Your threat intelligence has a shelf life too. But with data overload that comes from multiple data feeds and the hundreds, thousands or potentially millions of indicators they generate every day, many organizations don’t know where to begin to define a threat data lifecycle or expiration strategy. There’s no smart fridge or app. In fact, there’s not even a well-defined, industry standard on how to expire threat intelligence. But there are strategies you can use and continue to refine as your threat operations program matures.

An entry-level strategy

To begin, consider two core attributes of your intelligence – source and indicator type. Tying expiration to source alone is not enough because this assumes that all intelligence from a source is created equally, which simply isn’t true. Combining source and indicator type will provide a more complete view of your intelligence.

By considering source you can ensure you understand where your data is coming from – an important baseline for any strategy. And, since all intelligence has a source, it’s a way to make sure that you are including all the intelligence you’re consuming in your expiration policy, which is essential for success. Source also helps you to take into account the confidence you have in that source and the quantity of intelligence the source distributes, which is important for predictability.

Indicator type is important because it speaks directly to your local environment as the indicator type determines which tools the intelligence is distributed to.  This is critical because different tools can consume different volumes of intelligence.

Starting with these two parameters is a great way to get the team on the same page. It is easy to compute, easy to understand, and introduces a multi-dimensional capability allowing teams to weigh and rank source and indicator type.

Refining your expiration strategy

Once your team is comfortable with source and indicator type, you can consider expanding your model to include applying “aging algorithms” to the intelligence. The entry-level strategy uses a linear approach and assumes that intelligence deteriorates at a uniform rate. But we know this isn’t true across the board. Different pieces of intelligence have different lifecycles. Aging algorithms use various methods to account for this.

For example, some types of intelligence deteriorate rapidly over a short period of time and then slow down. This type of intelligence is meant to be operational for hours or days at the most. Open source intelligence typically falls into this group, because even the bad guys monitor it to determine when they have been discovered and their probability of success exponentially decreases. 

Some intelligence should never expire. For instance, although some domains and infrastructure tied to previous malicious activity might not pose an immediate threat, history shows it will always be a threat. Intelligence associated with certain adversaries may also be non-expiring because you know that at some point they will likely re-use that infrastructure.

Still other pieces of intelligence are likely to be relevant for a longer period of time before dramatically decaying. Information provided by commercial feeds, ISAC consortiums, internal intelligence collection or gleaned from other sharing communities will likely fit this paradigm.

Even as you add more sophisticated aging metrics to your approach, to be effective and successful an expiration strategy must be simple, reliable, relatively predictable and easy to adjust. But most importantly, it must be applied to all intelligence so that you can make sure you use it before it goes bad, and that you don’t waste resources and possibly increase risk with threat intelligence that’s past its shelf life.

view counter
Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Phantom Cyber.