Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Investigating the Temporal Dynamics of Cyber Threat Intelligence

Angel Kodituwakku, Clark Xu, Daniel Rogers, David K. Ahn, Errin W. Fulp

TL;DR

The paper tackles the gap in understanding how Indicators of Compromise (IoCs) are published over time for recent CVEs. It analyzes IoCs from six critical CVEs collected from 16 CTI providers, tracking publication from Day 0 until full coverage to quantify timeliness and coverage. Results indicate that IoC publication rates frequently follow $S$, $I$, $R$-like epidemic dynamics, with an initial slow phase, a burst of IoCs, and a subsequent slower tail. These insights inform defender strategies for multi-source IoC ingestion and highlight avenues for future work on IoC churn, expiration, and inferring attacker TTPs from publication patterns.

Abstract

Indicators of Compromise (IoCs) play a crucial role in the rapid detection and mitigation of cyber threats. However, the existing body of literature lacks in-depth analytical studies on the temporal aspects of IoC publication, especially when considering up-to-date datasets related to Common Vulnerabilities and Exposures (CVEs). This paper addresses this gap by conducting an analysis of the timeliness and comprehensiveness of Cyber Threat Intelligence (CTI) pertaining to several recent CVEs. The insights derived from this study aim to enhance cybersecurity defense strategies, particularly when dealing with dynamic cyber threats that continually adapt their Tactics, Techniques, and Procedures (TTPs). Utilizing IoCs sourced from multiple providers, we scrutinize the IoC publication rate. Our analysis delves into how various factors, including the inherent nature of a threat, its evolutionary trajectory, and its observability over time, influence the publication rate of IoCs. Our preliminary findings emphasize the critical need for cyber defenders to maintain a constant state of vigilance in updating their IoCs for any given vulnerability. This vigilance is warranted because the publication rate of IoCs may exhibit fluctuations over time. We observe a recurring pattern akin to an epidemic model, with an initial phase following the public disclosure of a vulnerability characterized by sparse IoC publications, followed by a sudden surge, and subsequently, a protracted period with a slower rate of IoC publication.

Investigating the Temporal Dynamics of Cyber Threat Intelligence

TL;DR

The paper tackles the gap in understanding how Indicators of Compromise (IoCs) are published over time for recent CVEs. It analyzes IoCs from six critical CVEs collected from 16 CTI providers, tracking publication from Day 0 until full coverage to quantify timeliness and coverage. Results indicate that IoC publication rates frequently follow , , -like epidemic dynamics, with an initial slow phase, a burst of IoCs, and a subsequent slower tail. These insights inform defender strategies for multi-source IoC ingestion and highlight avenues for future work on IoC churn, expiration, and inferring attacker TTPs from publication patterns.

Abstract

Indicators of Compromise (IoCs) play a crucial role in the rapid detection and mitigation of cyber threats. However, the existing body of literature lacks in-depth analytical studies on the temporal aspects of IoC publication, especially when considering up-to-date datasets related to Common Vulnerabilities and Exposures (CVEs). This paper addresses this gap by conducting an analysis of the timeliness and comprehensiveness of Cyber Threat Intelligence (CTI) pertaining to several recent CVEs. The insights derived from this study aim to enhance cybersecurity defense strategies, particularly when dealing with dynamic cyber threats that continually adapt their Tactics, Techniques, and Procedures (TTPs). Utilizing IoCs sourced from multiple providers, we scrutinize the IoC publication rate. Our analysis delves into how various factors, including the inherent nature of a threat, its evolutionary trajectory, and its observability over time, influence the publication rate of IoCs. Our preliminary findings emphasize the critical need for cyber defenders to maintain a constant state of vigilance in updating their IoCs for any given vulnerability. This vigilance is warranted because the publication rate of IoCs may exhibit fluctuations over time. We observe a recurring pattern akin to an epidemic model, with an initial phase following the public disclosure of a vulnerability characterized by sparse IoC publications, followed by a sudden surge, and subsequently, a protracted period with a slower rate of IoC publication.

Paper Structure

This paper contains 5 sections, 6 figures.

Table of Contents

  1. Introduction
  2. Background on Cyber Threat Intelligence
  3. IoC Rate Analysis
  4. IoC Coverage Observations
  5. Conclusions and Future Work

Figures (6)

  • Figure 1: IoC coverage (percentage of the 149 unique IoCs published) for CVE-2023-34362 over 75 successive days.
  • Figure 2: IoC coverage (percentage of the 23 unique IoCs published) for CVE-2022-35078 over 49 successive days.
  • Figure 3: IoC coverage (percentage of the 63 unique IoCs published) for CVE-2023-37470 over 55 successive days.
  • Figure 4: IoC coverage (percentage of the 16 unique IoCs published) for CVE-2023-21409 over 25 successive days.
  • Figure 5: IoC coverage (percentage of the 31 unique IoCs published) for CVE-2023-2868 over 24 successive days.
  • ...and 1 more figures