With each day that passes, threat intelligence platforms automatically absorb hundreds, thousands, potentially millions of indicators, forcing teams, and vendors, to quickly define a threat data lifecycle or expiration strategy. This has been a controversial discussion for most of my career. Much like attribution, expiration efforts are very subjective and depend entirely on tools, adversaries, feeds, and the teams’ sanity point between chasing false positives and precautionary due diligence alerts.
So what do we mean when we talk about expiration? Put simply, your threat intelligence has a shelf life and this means it needs to be kept track of, used before it goes off and got rid of when it’s past its best. Unfortunately, there is neither a well-defined industry standard on how to expire intelligence, nor do the intelligence providers themselves offer much assistance - at least not in any official capacity. Luckily, there are strategies available you can use and continue to refine as your threat operations program matures.
An entry-level strategy
Let’s consider two core attributes of intelligence to begin with - source type and indicator type. Tying expiration to source alone is not enough as this assumes that all intelligence from a source is created equally, which simply isn’t true. Combining source and indicator type will provide you with a more complete view of your intelligence.
By considering source you can ensure you understand where your data is coming from; this is an important baseline for any strategy. Since all intelligence has a source, it’s a way to make sure that you are including all the intelligence you’re consuming in your expiration policy, which is essential for success. Source also helps you to take into account the confidence you have in that source and the quantity of intelligence the source distributes, which is important for predictability.
Indicator type is important because it speaks directly to your local environment as the indicator type determines which tools the intelligence is distributed to. This is critical because different tools can consume different volumes of intelligence.
Starting with these two parameters is a great way to get the team on the same page. It is easy to compute, easy to understand, and introduces a multi-dimensional capability allowing teams to weigh and rank source and indicator type.
Refining your expiration strategy
Once your team is comfortable with source and indicator type, you can consider expanding your model to include applying “aging algorithms” to the intelligence. The entry-level strategy uses a linear approach and assumes that intelligence deteriorates at a uniform rate. But we know this isn’t true across the board. Different pieces of intelligence have different lifecycles. Aging algorithms use various methods to account for this.
For example, some types of intelligence deteriorate rapidly over a short period of time and then slow down. This type of intelligence is meant to be operational for hours or days at the most. Open source intelligence typically falls into this group, because even the bad guys monitor it to determine when they have been discovered and their probability of success exponentially decreases.
Some intelligence should never expire. For instance, although some domains and infrastructure tied to previous malicious activity might not pose an immediate threat, history shows it will always be a threat. Intelligence associated with certain adversaries may also be non-expiring because you know that at some point they will likely re-use that infrastructure.
Still, other pieces of intelligence are likely to be relevant for a longer period of time before dramatically decaying. Information provided by commercial feeds, ISAC consortiums, internal intelligence collection or gleaned from other sharing communities will likely fit this paradigm.
In order to be effective and successful as you add more sophisticated aging metrics to your approach, an expiration strategy must be simple, reliable, relatively predictable and easy to adjust. Most importantly, it must be applied to all intelligence in order to make sure that it is being used before it goes bad, resources are not wasted and risk in not being increased by threat intelligence that’s past its shelf life.