Hunting Observable Objects for Indication of Compromise

Shared Threat Intelligence is often imperfect. Especially so called Indicator of Compromise might not be well constructed. This might either be the case if the threat only appeared recently and recordings do not allow for construction of high quality Indicators or the threat is only observed by sharing partners lesser capable to model the threat. However, intrusion detection based on imperfect intelligence yields low quality results. Within this paper we illustrate how one is able to overcome these shortcomings in data quality and is able to achieve solid intrusion detection. This is done by assigning individual weights to observables listed in a STIX (TM) report to express their significance for detection. For evaluation, an automatized toolchain was developed to mimic the Threat Intelligence sharing ecosystem from initial detection over reporting, sharing, and determining compromise by STIXTM-formated data. Multiple strategies to detect and attribute a specific threat are compared using this data, leading up to an approach yielding a F1-Score of 0.79.