Aging Intelligence Tier II – Maturing Deprecation & Scoring

save
Share and earn Cybytes
Facebook Twitter LinkedIn Email

Aging Intelligence Tier II – Maturing Deprecation & Scoring

POSTED BY RYAN TROST

The next evolution of deprecation and scoring is developing several advanced “aging” algorithms.  This provides analysts the next phase of control to be applied to their intelligence so each piece can live out its lifecycle based on it’s own destiny.  The Tier I expiration model (which purposely does NOT rely on score) utilizes a standard linear approach, however, for larger more advanced teams applying a standard linear decay across all intelligence is too inflexible/rigid because not all intelligence is created equal and each requires a various rate of decay.

 

The TQ Aging algorithms are mathematically driven coefficients to determine the rate of deterioration including:

a) Linear – a uniform rate of decay as indicated by the orange line in the graphic.  The intelligence that falls into this category is typically deemed ‘middle of the road’.

b) Exponential – described as a high rate of decay where the threat against the company is reduced dramatically over a short amount of time and then slows down over time.  I tend to categorize this as open source intelligence where even the bad guys monitor it to determine when they have been discovered and their probability of success exponentially decreases.  A handful of high volume feeds also fit under this umbrella where the legitimacy/focal point of the intelligence is meant to be operational for hours or days maximum.

c) Logarithmic – very similar to the exponential aging with an initial high rate of decay but the rate tapers off slightly to keep it “relevant” for a longer period of time.

d) Non-expiring – some threat intelligence should never expire regardless of score or activity.  For instance, 3322.org will always be malicious so although it might not pose an immediate threat, history shows it will always be a threat.  In a previous DIB life we would set intelligence associated with certain adversaries to non-expiring because we knew at some point they would re-use that infrastructure.

e) Reverse Exponential – for intelligence that is likely to be relevant for a longer period of time.  Information provided by commercial feeds, ISAC consortiums, internal intelligence collection or gleaned from smaller private fight club sharing communities will likely fit this paradigm.

 

Pretty cool huh?!  The next big question is what element of intelligence is aging tied to?!  In TQ the aging framework is associated to the SOURCE of the intelligence because that largely dictates the longevity of the intelligence.  
In my operational experience, internal research, secret fight clubs, and commercial feeds yield a higher shelf life than open source feeds for obvious reasons.  The key to a successful aging approach is keeping it simplistic, reliable, relatively predictable, easy to re-adjust (when needed), and most importantly ensure it can be applied to ALL intelligence.  Analysts may want to define a highly complex aging approach with PhD-level mathematics, dozen switches and hundreds of possible permutations…huge mistake.  This is one of those situations where simple is graceful and elegant…and an aging picture is worth team understanding!

The post Aging Intelligence Tier II – Maturing Deprecation & Scoring appeared first on ThreatQuotient.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
Follow
85 Followers
About ThreatQuotient
ThreatQuotient™ understands that the foundation of intelligence-driven security is people. The company’s open and extensible threat intelligence platform, ThreatQ, provides defenders with the context, customization and collaboration needed to ensure that intelligence is accurate, relevant and timely to their business. Leading global companies are using ThreatQ as the cornerstone of their threat operations and management system, increasing security effectiveness and efficiency. For more information, visit http://www.threatquotient.com.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel