Investigating the Temporal Dynamics of Cyber Threat Intelligence

TL;DR

This study analyzes the timing and patterns of IoC publication related to CVEs, revealing a recurring epidemic-like pattern that impacts cybersecurity defense strategies and emphasizes the need for continuous vigilance.

Contribution

It provides an in-depth analysis of the temporal dynamics of IoC publication for CVEs, filling a gap in understanding how IoCs evolve over time in cyber threat intelligence.

Findings

IoC publication rates follow an epidemic-like pattern over time.

Initial IoC publication is sparse after vulnerability disclosure.

There is a surge in IoC publications followed by a slower, prolonged phase.

Abstract

Indicators of Compromise (IoCs) play a crucial role in the rapid detection and mitigation of cyber threats. However, the existing body of literature lacks in-depth analytical studies on the temporal aspects of IoC publication, especially when considering up-to-date datasets related to Common Vulnerabilities and Exposures (CVEs). This paper addresses this gap by conducting an analysis of the timeliness and comprehensiveness of Cyber Threat Intelligence (CTI) pertaining to several recent CVEs. The insights derived from this study aim to enhance cybersecurity defense strategies, particularly when dealing with dynamic cyber threats that continually adapt their Tactics, Techniques, and Procedures (TTPs). Utilizing IoCs sourced from multiple providers, we scrutinize the IoC publication rate. Our analysis delves into how various factors, including the inherent nature of a threat, its evolutionary trajectory, and its observability over time, influence the publication rate of IoCs. Our preliminary findings emphasize the critical need for cyber defenders to maintain a constant state of vigilance in updating their IoCs for any given vulnerability. This vigilance is warranted because the publication rate of IoCs may exhibit fluctuations over time. We observe a recurring pattern akin to an epidemic model, with an initial phase following the public disclosure of a vulnerability characterized by sparse IoC publications, followed by a sudden surge, and subsequently, a protracted period with a slower rate of IoC publication.