The document discusses managing indicator deprecation in ThreatConnect. It explains that indicator deprecation is a system for automatically lowering an indicator's confidence rating over time based on configurable rules. This helps reflect an indicator's staleness and can automatically delete old indicators. The document provides examples of setting deprecation rules for different indicator types and sources, and best practices used by ThreatConnect's research team.

1. SPRING CLEANING
Managing Indicator Deprecation in ThreatConnect
Alex Valdivia
ThreatConnect Research Team
March 21, 2017

2. © 2017 ThreatConnect, Inc. All Rights Reserved.
Google Image Search: Roomba Time Lapse

3. © 2017 ThreatConnect, Inc. All Rights Reserved.
Table of Contents
Threat Ratings, Confidence, and Deprecation
• Threat and Confidence Ratings
• Indicator Deprecation
Why?
• 3 Reasons for Indicator Deprecation
• Scenario: VXVault Source
How?
• Deprecation Rule Configuration
• Deprecation Rule Approaches
• Additional Considerations and Best Practices
Resources
Questions
3

4. © 2017 ThreatConnect, Inc. All Rights Reserved.
Threat Ratings, Confidence, and Deprecation
4

5. © 2017 ThreatConnect, Inc. All Rights Reserved.
Threat and Confidence Ratings
Threat Ratings
• Threat Level of Indicator
• Scale of 0-5 Skulls
Confidence Ratings
• Confidence in Threat Rating
• Percentage scale of 0-100

6. © 2017 ThreatConnect, Inc. All Rights Reserved.
Threat Rating Best Practices
Threat Rating Factors
1. Capability
2. Determination
3. Progression
Threat Rating Scale
0 Skulls Unknown
1 Skull Suspicious
2 Skulls Low
3 Skulls Moderate
4 Skulls High
5 Skulls Critical
6
Blog: https://www.threatconnect.com/blog/best-practices-indicator-rating-and-confidence/

7. © 2017 ThreatConnect, Inc. All Rights Reserved.
Confidence Rating Best Practices
Confidence Rating Factors
1. Confirmation
2. Plausibility
3. Consistency
Confidence Rating Scale
0 Unknown
1 Discredited
2-29 Improbable
30-49 Doubtful
50-69 Possible
70-89 Probable
90-100 Confirmed
7
Blog: https://www.threatconnect.com/blog/best-practices-indicator-rating-and-confidence/

8. © 2017 ThreatConnect, Inc. All Rights Reserved.
Indicator Deprecation
• System for automatically lowering
confidence rating of indicators over time.
• Does not affect threat rating.
• Rules customizable by indicator type.
• Enabled at Org, Source, and Community
level.
• Requires Org Admin or Director role. Interval: 10 Days Confidence Amount: 10

9. © 2017 ThreatConnect, Inc. All Rights Reserved.
But Why?
9

10. © 2017 ThreatConnect, Inc. All Rights Reserved.
3 Reasons for Indicator Deprecation
1. Lower confidence to reflect indicator’s “staleness”
2. Automatically delete indicators you no longer care about
3. Your analysts don’t know about this feature and you
want them to think they’re slowly losing their minds
10

11. © 2017 ThreatConnect, Inc. All Rights Reserved.
Scenario: VXVault Source
11
● Open Source URL Feed
● 100 URLs per Day
● Default Rating: 3 Skulls
● Default Confidence: 80%

12. © 2017 ThreatConnect, Inc. All Rights Reserved.
Scenario: VXVault Source - No Deprecation
12
Day 1
100 URLs
Day 2
200 URLs
New URL
Old URL
Day 90
9K URLs

13. © 2017 ThreatConnect, Inc. All Rights Reserved.
Scenario: VXVault Source - With Deprecation
13
Day 1
100 URLs
Day 2
200 URLs
Day 90
9K URLs
X
X
X
X
X

14. © 2017 ThreatConnect, Inc. All Rights Reserved.
But How?
14

15. © 2017 ThreatConnect, Inc. All Rights Reserved.
Deprecation Rule Configuration - Org
15

16. © 2017 ThreatConnect, Inc. All Rights Reserved.
Deprecation Rule Configuration - Source/Community
16

17. © 2017 ThreatConnect, Inc. All Rights Reserved.
Deprecation Rule
Configuration
● Indicator Type
○ 10 Types
● Interval
○ Days
● Confidence Amount
○ 1-100
● Percentage
○ Based on current
confidence rating
● Recurring
● Delete At Minimum (Zero)
● Update Chart Upon Deletion
17

18. © 2017 ThreatConnect, Inc. All Rights Reserved.
Deprecation Rule Approaches
Arbitrary Starting Confidence - Control Deprecation Rate
• Appropriate for manually created indicators, indicators shared by other users.
• I want to lower the confidence of Hosts by 10 every 10 days, and delete when
confidence reaches zero.
Known Starting Confidence - Control Timing of Confidence Changes, Deletions
• Appropriate for ThreatConnect Sources, HTTP Scraper, TAXII, API Integrations.
• I want URL indicators to be deleted in 60 days.
• I want the confidence of IP Addresses to change from Probable to Possible in
10 days.
18

19. © 2017 ThreatConnect, Inc. All Rights Reserved.
Deprecation Rules: Additional Considerations
Not All Indicators Are Created Equal
• URLs vs IP Addresses vs Domains
• Pyramid of Pain...ish
Not All Feeds Are Created Equal
• Malware Domain Feed
• Phishing URL Feed
• Scanning IP Feed
19
SlowerDeprecation
FasterDeprecation
No Deprecation >

20. © 2017 ThreatConnect, Inc. All Rights Reserved.
Deprecation Rules: Research Team Best Practices
20
Indicator
Types
Probable >
Possible
Deletion Interval (Days) Deprecation
Amount
Address, ASN,
CIDR
55 days Yes 11 6
URL, Host 110 days No 11 3
Email Address 225 days No 30 4
File, Mutex,
Registry Key, User
Agent
N/A N/A N/A N/A
Our team commonly uses the settings below for deprecation rules in ThreatConnect sources collecting
data from open source feeds. Do keep in mind, this is not a one-size-fits-all solution!

21. © 2017 ThreatConnect, Inc. All Rights Reserved.
Resources
● ThreatConnect Blog: Best Practices: Indicator Rating and Confidence
● ThreatConnect KnowledgeBase: Configuring Indicator Confidence Deprecation
● This slide deck!
● ThreatConnect Customer Success Representative
21

22. © 2017 ThreatConnect, Inc. All Rights Reserved.
Thank You
THREATCONNECT.COM