Skip to main content

Adversary-Aware IOC Retention: Analyzing Time-to-Live Patterns by Threat Actor Attribution

It is well established that not all threat actors operate similarly.

Still, security teams continue to waste storage, processing, and opportunity costs on bloated threat intelligence feeds containing stale IOCs. Early research into this topic compared the price of retaining IOCs over a set time against the price of responding to an incident, while later research evolved to create decay models that reduce the relevance of an IOC over time.

Unfortunately, current decay models apply a uniform approach and do not account for individual threat actor Tactics, Techniques, and Procedures (TTPs).

After analyzing hundreds of IOCs across three unique Advanced Persistent Threats (APTs) from disparate regions, it can be confirmed that not only do threat actors cycle their IOCs at different rates, but those rates can be tracked. This paper introduces an enhanced decay model incorporating a threat actor variable that accounts for these differences in sophistication and hygiene. This optimized approach to IOC retention will lead to more accurate IOC prioritization, reducing processing and storage costs and time spent responding to false positives.

Download file

SANS-Adversary-Aware-IOC-Retention (PDF, 1.12MB)

23 Oct 2025
ByNathaniel Jakusz
Share
All papers are copyrighted

No re-posting of papers is permitted

Related Content

Measuring Malware Obfuscation: Evaluating CNN- Based Detection for Real-World Resilience

Research Paper

This study examined how layered obfuscation affects image-based convolutional neural network (CNN) detectors and introduces a novel, reproducible framework for measuring obfuscation itself.

  • 19 Nov 2025

Scrutinizing A Web-Based LLM in Private Browsing Mode: An Analysis of Memory Artifacts and Privacy Implications

Research Paper

Using web-based LLMs such as ChatGPT has changed the web browsing landscape to become part of the typical everyday experience.

  • 7 Nov 2025

Breaking Time: Methods, Artifacts, and Forensic Detection of Timestomping on FAT32, Ext3, and Ext4 File Systems

Research Paper

This paper explores the diverse methods used to timestomp files on FAT, Ext3, and Ext4 file systems, focusing on how adversaries adapt their approaches based on available system access and permissions.

  • 23 Oct 2025

Breaking Through Deception: Addressing Barriers in the Adoption of Cyber Deception Technologies

Research Paper

Despite the increasing sophistication of cyber threats and the need for organizations to employ innovative defense strategies, cyber deception technologies, tools designed to mislead attackers and gain a defensive advantage, remain significantly underutilized across organizational cybersecurity programs.

  • 23 Oct 2025

Forensic Investigation of Bluetooth-Based Credit Card Skimmers

Research Paper

Hidden Bluetooth Low Energy (BLE) credit skimmers are a growing threat to credit card fraud. Criminals can set up practical and inexpensive systems built on top of modules, such as the HM-19, to collect and transmit stolen data covertly across wireless channels.

  • 3 Sep 2025

Catching the Hand in the Cookie Jar: Canary Session Cookies

Research Paper

This project demonstrates how even applications secured with MFA are still vulnerable to hijacked session cookies. Given the persistent threats posed to organizations by stolen authentication cookies, this research proposes implementing Canary session cookies to detect the theft and malicious use of credentials.

  • 17 Apr 2025

A Pebble In the Ocean: Maximizing Log Fidelity In Container Environments

Research Paper

Log fidelity is crucial for Incident Response Teams to investigate and contain cyber incidents but...

  • 17 Apr 2025

Beyond Detection: Using Real Phishing Data to Gauge Security Training Program Success

Research Paper

Identification of phishing emails can be cumbersome, accomplished by rule-based filters, machine...

  • 7 Jan 2025

Hunting the Hound of Hades: Kerberos Delegation Attacks, Detections and Defenses

Research Paper

When misconfigured, Kerberos delegation in an Active Directory environment can lead to complete...

  • 23 Dec 2024

Rapid Incident Response on macOS: Actionable Insights in Under an Hour

Research Paper

The increasing use of macOS in enterprises requires fast, effective incident response (IR)...

  • 5 Dec 2024

Cheap Malware Calls for Cheap Defense: Shellcode and Defense Tools on an SMB Security Budget

Research Paper

This research will examine the varieties of free and open-source tooling available for...

  • 16 Aug 2024

Cheap Malware Calls for Cheap Defense: Shellcode and Defense Tools on an SMB Security Budget

Research Paper

This research will examine the varieties of free and open-source tooling available for...

  • 16 Aug 2024

Finding Lateral Movement of Adversaries Through the Noise of Systems Administration

Research Paper

This paper aims to delve into the intricacies of distinguishing between routine administrative...

  • 14 Aug 2024
  • Brian Almond

You Can Run but You Cannot Hide (In Process Memory): Observing Process Injection with eBPF in Linux

Research Paper

Use of built-in capabilities for injecting malicious code as a persistence technique is used by...

  • 3 May 2024

Accelerating Incident Response: Applying Confidence Aggregation to Defensive Artifacts

Research Paper

Incident response plays an integral role in cybersecurity today. Despite the successes of the...

  • 19 Mar 2024

The Art of Network File Sharing Forensics and Data Recovery

Research Paper

Network file-sharing forensics is one of the challenging topics in Windows forensics as the user...

  • 12 Mar 2024

Exploring Infostealer Malware Techniques on Automotive Head Units

Research Paper

Automotive vehicles have become exponentially more computerized in the last decade, and automakers...

  • 1 Mar 2024

On The Hunt: The Retroactive and Proactive Hunt for CTI Indicators

Research Paper

Cyber threat intelligence (CTI) has many standards and models to define it. However, very few of...

  • 29 Feb 2024

Evaluating the Efficacy of Network Forensic Tools: A Comparative Analysis of Snort, Suricata, and Zeek in Addressing Cyber Vulnerabilities

Research Paper

In the landscape of cybersecurity threats, this research delves into the efficacy of network...

  • 14 Feb 2024

Decoding the Name Game: Evaluating the Impact of Threat Actor Naming Conventions on Cyber Threat Intelligence

Research Paper

In the ever-evolving world of defensive cyber operations, there is a growing inclination to...

  • 20 Dec 2023