Expiration of Indicators of Compromise (IoCs)

Question

Expiration of Indicators of Compromise (IoCs)

kcreddy opened this issue 10 months ago · comments

Krishna Chaitanya Reddy Burri commented 10 months ago

Do you have a support subscription?

No

Did you check the FAQ ?

Yes

Expected behavior and actual behavior.

N/A

Question:

Does CIFv5 API or CIFv3 API (which is now archived) have support for indicator expiration? If so, any insight as to how you handle IoC expiration and if there's a field that exposes whether an indicator is expired or if there's a TTL on each IoC etc. will be appreciated.

wes · Answer 1 · Fri Aug 11 2023 19:55:31 GMT+0800 (China Standard Time)

if you're querying CIF on a per indicator basis, IOC's don't "expire", per-say, but they come with a set of timestamps so the end user can determine if they are still applicable (lasttime, reporttime) -- when the ioc was last observed in a feed and when it was inserted into CIF.

if you're pulling feeds, the system will use similar logic and "only include IOCs with recent timestamps".

we try to enable users to make that choice "at the last mile" based on the timestamps rather than in the indicator itself.

Krishna Chaitanya Reddy Burri · Answer 2 · Fri Aug 11 2023 20:38:25 GMT+0800 (China Standard Time)

@wesyoung Thanks for the insights 👍🏼 . I am trying to get some reasonable defaults based on the suggested timestamps like lasttime, reporttime etc.

Would it be reasonable to assume a default of 6 months after reporttime or 3 months after lasttime upon which the indicator could be no longer applicable? or would it be even longer than that usually?
If it depends on other parameters such as itype, what defaults would you suggest users for each itype?

wes · Answer 3 · Fri Aug 11 2023 23:39:26 GMT+0800 (China Standard Time)

usually i suggest (all assuming lasttime, which is probably what you want here)

ip(v4/v6): 21d if you want to be aggressive, 45d if you don't

fqdn: 90d (this one gets fuzzy, if it's a compromised domain, it either gets cleaned up or it doesn't after a few days, else it's bad almost forever)

url: 365d (or forever, if a url is bad, it's likely never good again)

hashes (malware, etc): 365d or forever

if you have any stale indicators laying around for > 2 years, they can likely be purged (urls, specifically bad domains, malware hashes). some folks may suggest 365d if they're being aggressive about those.

these days, things move so fast i'd purge those after a year as well depending on your use case.

does that make sense?

Krishna Chaitanya Reddy Burri · Answer 4 · Sat Aug 12 2023 11:28:49 GMT+0800 (China Standard Time)

Awesome, thank you!