Adversary-Aware IOC Retention: Analyzing Time-to-Live Patterns by Threat Actor Attribution

It is well established that not all threat actors operate similarly.

Still, security teams continue to waste storage, processing, and opportunity costs on bloated threat intelligence feeds containing stale IOCs. Early research into this topic compared the price of retaining IOCs over a set time against the price of responding to an incident, while later research evolved to create decay models that reduce the relevance of an IOC over time.

Unfortunately, current decay models apply a uniform approach and do not account for individual threat actor Tactics, Techniques, and Procedures (TTPs).

After analyzing hundreds of IOCs across three unique Advanced Persistent Threats (APTs) from disparate regions, it can be confirmed that not only do threat actors cycle their IOCs at different rates, but those rates can be tracked. This paper introduces an enhanced decay model incorporating a threat actor variable that accounts for these differences in sophistication and hygiene. This optimized approach to IOC retention will lead to more accurate IOC prioritization, reducing processing and storage costs and time spent responding to false positives.