This announcement was written by
LookingGlass Cyber Solutions, VP of Engineering, Chris Wood.
LookingGlass Cyber is committed to providing the industry-leading global risk scoring model. scoutPRIME was built on the premise that, while cyber intelligence operators, analysts, and decision makers need detailed, traceable information, a simple scoring indicator that quickly assesses risk is essential as a triage mechanism.
LookingGlass Cyber designed the Threat Indicator of Compromise (TIC) - a comprehensive, multi-dimensional score that measures the likelihood that a network element has been compromised, is vulnerable to compromise, or is a likely target for future compromise. The algorithm for TIC factors network proximity, multi-source corroboration, impact of compromise, and time of observed compromise.
This powerful algorithm by design brings together multiple dimensions of analysis into a single score from 00-100. Factors include:
· Trustworthiness of the intelligence source
· Risk and presence of compromise
· Impact of compromise
· Class of compromise
· Network relationship to compromise
· Corroboration of observation
· Volume of compromises
· Time since observed compromise
To capture the time dimension, the score decreases as the time since the last observed threat increases. The rationale being that the greater the length of time from observed compromise, the likelihood that the impact is less. We describe this as a scoring decay. TIC scores decrease until they are deemed no longer active; they are then kept for historical examination.
In order to provide the best possible scoring model, LookingGlass Cyber regularly solicits feedback, examines data-driven behavioral trends, and refines the weights in the algorithm. The scoring algorithm has advanced considerably since its introduction.
Recent factors have led us to conclude that the decay factor in scoring is unhelpful. First, decay runs the risk of prematurely indicating that a compromised element isn’t critical to review. Scoring is intended to alert the user of a potential danger that should be addressed. If, after a few days, the score drops from a critical to elevated level, the user might miss a needed review of the compromised element.
Second, scoutPRIME’s rich historical index of global searchable threat intelligence supersedes any value that might be gained from a constant TIC decay. Rather than gradually reduce the score to indicate that the compromise may no longer be present, the indicator can simply be move from active to historical.
Third, the decay factor places a rather tenuous systemic assumption that the time since we have seen the vulnerability or threat indicator has a direct bearing on the likelihood that the indicator is no longer present.
Finally, and perhaps most significantly, the decay element in many cases is masking the underlying severity of the indicator of compromise. Decay has suppressed many TIC scores across scoutPRIME’s global threat intelligence database.
For these reasons, LookingGlass Cyber will be removing TIC decay from scoutPRIME on Thursday, September 8th with release 2022.R.
What does this mean for you?
· Over a period of the next few days following the release, you will observe TIC scores increase in the system. This is expected and is indicative that decay is no longer masking the base scoring. For some elements, IPs in particular, you may find that TIC scores double.
If decay no longer reduces scores, how do scores reduce?
· When our global data collection apparatus no longer finds threats for 7 days or vulnerabilities for 30 days, the association is deemed historical and archived. This will lead to a reduction in TIC score.
What about elements that have no accurate threats?
· Elements with no active threats or risks are assigned a TIC score of 10. Why not 0? We assign a standard score of 10 to indicate that the absence of threat intelligence does not mean zero risk. These scores will not increase. They will continue to have a score of 10.
We’re grateful for the feedback you've provided to improve the accuracy of the TIC score. LookingGlass Cyber remains committed to providing you with the best industry-leading global TIC scoring model. Be on the lookout for improvements as we continue to refine our scoring model.
Our customer support group will follow up by email to provide additional information on the maintenance window and additional bug fixes or system updates.