npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
Overview
Indicator lifecycle management tracks IOCs from initial discovery through validation, enrichment, deployment, monitoring, and eventual retirement. This skill covers implementing systematic processes for IOC quality assessment, aging policies, confidence scoring decay, false positive tracking, hit-rate monitoring, and automated expiration to maintain a high-quality, actionable indicator database that minimizes analyst fatigue and maximizes detection efficacy.
When to Use
- When conducting security assessments that involve performing indicator lifecycle management
- When following incident response procedures for related security events
- When performing scheduled security testing or auditing activities
- When validating security controls through hands-on testing
Prerequisites
- Python 3.9+ with
pymisp,requests,stix2libraries - MISP or OpenCTI instance for indicator storage
- SIEM with IOC watchlist capabilities (Splunk, Elastic)
- Understanding of IOC types, confidence scoring, and TLP classifications
Key Concepts
Indicator Lifecycle Phases
- Discovery: IOC first identified from threat intelligence, malware analysis, or incident response
- Validation: IOC verified against enrichment sources (VirusTotal, Shodan)
- Enrichment: Additional context added (WHOIS, passive DNS, threat actor attribution)
- Deployment: IOC pushed to detection systems (SIEM, IDS, firewall)
- Monitoring: Track hit rates, false positive rates, detection efficacy
- Review: Periodic assessment of IOC relevance and accuracy
- Retirement: IOC expired or removed based on aging policy
Confidence Decay
Indicator confidence decreases over time as adversaries rotate infrastructure. A time-based decay function reduces confidence scores automatically, ensuring old indicators do not generate excessive alerts. Typical half-life: IP addresses (30 days), domains (90 days), file hashes (365 days).
Quality Metrics
- Hit Rate: Percentage of deployed IOCs generating true positive alerts
- False Positive Rate: Percentage of IOC alerts that are benign
- Coverage: Percentage of known threat techniques with IOC coverage
- Freshness: Average age of active indicators in the database
Workflow
Step 1: Implement IOC Lifecycle State Machine
from datetime import datetime, timedelta
from enum import Enum
class IOCState(Enum):
DISCOVERED = "discovered"
VALIDATED = "validated"
ENRICHED = "enriched"
DEPLOYED = "deployed"
MONITORING = "monitoring"
UNDER_REVIEW = "under_review"
RETIRED = "retired"
class IOCLifecycle:
def __init__(self, ioc_type, value, source, initial_confidence=50):
self.ioc_type = ioc_type
self.value = value
self.source = source
self.confidence = initial_confidence
self.state = IOCState.DISCOVERED
self.created = datetime.utcnow()
self.last_updated = datetime.utcnow()
self.last_seen = None
self.hit_count = 0
self.false_positive_count = 0
self.history = [{"state": "discovered", "timestamp": self.created.isoformat()}]
def transition(self, new_state: IOCState, reason=""):
self.state = new_state
self.last_updated = datetime.utcnow()
self.history.append({
"state": new_state.value,
"timestamp": self.last_updated.isoformat(),
"reason": reason,
})
def apply_decay(self):
"""Apply confidence decay based on IOC type half-life."""
half_lives = {"ip": 30, "domain": 90, "hash": 365, "url": 60}
half_life = half_lives.get(self.ioc_type, 90)
age_days = (datetime.utcnow() - self.created).days
decay_factor = 0.5 ** (age_days / half_life)
self.confidence = max(0, int(self.confidence * decay_factor))
def record_hit(self, is_true_positive=True):
self.hit_count += 1
self.last_seen = datetime.utcnow()
if not is_true_positive:
self.false_positive_count += 1
if self.false_positive_count > 3:
self.transition(IOCState.UNDER_REVIEW, "Excessive false positives")
def should_retire(self):
max_ages = {"ip": 90, "domain": 180, "hash": 730, "url": 120}
max_age = max_ages.get(self.ioc_type, 180)
age_days = (datetime.utcnow() - self.created).days
return age_days > max_age and self.hit_count == 0Validation Criteria
- IOC lifecycle state machine transitions correctly between phases
- Confidence decay reduces scores based on IOC type half-life
- Hit rate and false positive tracking functional
- Aging policy automatically flags indicators for review/retirement
- Quality metrics dashboard shows IOC database health
References
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 3
api-reference.md1.6 KB
API Reference — Performing Indicator Lifecycle Management
Libraries Used
- csv: Parse IOC feed CSV files
- re: Pattern matching for IOC extraction (IP, domain, hash, URL, email, CVE)
- pathlib: Read text reports for IOC extraction
CLI Interface
python agent.py extract --file threat_report.txt
python agent.py ingest --csv ioc_feed.csv
python agent.py expire --csv ioc_db.csv [--ttl 90]
python agent.py dedup --csv ioc_feed.csv
python agent.py report --csv ioc_db.csv [--ttl 90]Core Functions
extract_iocs(text_file) — Extract IOCs from unstructured text
Regex patterns for: IPv4, domain, MD5, SHA1, SHA256, URL, email, CVE.
ingest_ioc_feed(csv_file) — Normalize IOC feed data
Auto-detects IOC type if not specified. Normalizes column names across feed formats.
check_expiration(ioc_db_file, ttl_days) — Identify expired indicators
Compares first_seen date against TTL threshold (default 90 days).
deduplicate_iocs(csv_file) — Merge duplicate IOCs
Groups by indicator value, tracks source attribution and occurrence count.
generate_lifecycle_report(csv_file, ttl_days) — Full lifecycle status
Combines ingestion, deduplication, and expiration into single report.
IOC Pattern Types
| Type | Example |
|---|---|
| ipv4 | 192.168.1.1 |
| domain | evil.example.com |
| md5 | d41d8cd98f00b204e9800998ecf8427e |
| sha256 | e3b0c44298fc1c149afbf4c8996fb924... |
| url | https://malware.example.com/payload |
| cve | CVE-2024-12345 |
Dependencies
No external packages — Python standard library only.
standards.md1.1 KB
Standards and Frameworks Reference
Applicable Standards
- STIX 2.1: Structured Threat Information eXpression for CTI data representation
- TAXII 2.1: Transport protocol for sharing CTI over HTTPS
- MITRE ATT&CK: Adversary tactics, techniques, and procedures taxonomy
- Diamond Model: Intrusion analysis framework (Adversary, Capability, Infrastructure, Victim)
- Traffic Light Protocol (TLP): Information sharing classification (CLEAR, GREEN, AMBER, RED)
MITRE ATT&CK Relevance
- Technique mapping for threat actor behavior classification
- Data sources for detection capability assessment
- Mitigation strategies linked to specific techniques
Industry Frameworks
- NIST Cybersecurity Framework (CSF) 2.0 - Identify function
- ISO 27001:2022 - A.5.7 Threat Intelligence
- FIRST Standards - TLP, CSIRT, vulnerability coordination
References
workflows.md1.4 KB
Indicator Lifecycle Management Workflows
Workflow 1: Collection and Analysis
[Intelligence Sources] --> [Data Collection] --> [Analysis] --> [Reporting]
| | | |
v v v v
OSINT/HUMINT/SIGINT Normalize/Enrich Assess/Correlate DisseminateSteps:
- Planning: Define intelligence requirements and collection priorities
- Collection: Gather data from relevant sources
- Processing: Normalize data formats and filter noise
- Analysis: Apply analytical frameworks and correlate findings
- Production: Generate intelligence products and reports
- Dissemination: Share with stakeholders via appropriate channels
- Feedback: Collect consumer feedback to refine future collection
Workflow 2: Continuous Monitoring
[Watchlist] --> [Automated Monitoring] --> [Change Detection] --> [Alert/Update]Steps:
- Define Watchlist: Identify indicators, actors, and topics to monitor
- Configure Monitoring: Set up automated collection from relevant sources
- Change Detection: Identify new or changed intelligence
- Assessment: Evaluate significance of changes
- Alerting: Notify stakeholders of significant intelligence updates
- Archive: Store intelligence for historical analysis and trending
Scripts 2
agent.py6.4 KB
#!/usr/bin/env python3
"""Agent for performing indicator of compromise (IOC) lifecycle management."""
import json
import argparse
import csv
import re
from datetime import datetime
from pathlib import Path
IOC_PATTERNS = {
"ipv4": re.compile(r"\b(?:\d{1,3}\.){3}\d{1,3}\b"),
"domain": re.compile(r"\b(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}\b"),
"md5": re.compile(r"\b[a-f0-9]{32}\b", re.I),
"sha256": re.compile(r"\b[a-f0-9]{64}\b", re.I),
"sha1": re.compile(r"\b[a-f0-9]{40}\b", re.I),
"url": re.compile(r"https?://[^\s<>\"']+"),
"email": re.compile(r"\b[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}\b"),
"cve": re.compile(r"CVE-\d{4}-\d{4,}", re.I),
}
def extract_iocs(text_file):
"""Extract IOCs from a text file or report."""
text = Path(text_file).read_text(encoding="utf-8", errors="replace")
extracted = {}
for ioc_type, pattern in IOC_PATTERNS.items():
matches = list(set(pattern.findall(text)))
if matches:
extracted[ioc_type] = matches[:100]
total = sum(len(v) for v in extracted.values())
return {"source": text_file, "total_iocs": total, "by_type": {k: len(v) for k, v in extracted.items()}, "indicators": extracted}
def ingest_ioc_feed(csv_file):
"""Ingest IOC feed from CSV and normalize."""
with open(csv_file, "r", encoding="utf-8", errors="replace") as f:
reader = csv.DictReader(f)
rows = list(reader)
iocs = []
for row in rows:
indicator = row.get("indicator", row.get("ioc", row.get("value", row.get("Indicator", ""))))
ioc_type = row.get("type", row.get("ioc_type", row.get("Type", "")))
if not ioc_type:
for t, p in IOC_PATTERNS.items():
if p.fullmatch(indicator.strip()):
ioc_type = t
break
iocs.append({
"indicator": indicator.strip(),
"type": ioc_type,
"source": row.get("source", row.get("feed", "")),
"confidence": row.get("confidence", row.get("score", "")),
"first_seen": row.get("first_seen", row.get("date", "")),
"tags": row.get("tags", row.get("malware_family", "")),
})
return {"total_ingested": len(iocs), "by_type": _count_field(iocs, "type"), "iocs": iocs[:50]}
def check_expiration(ioc_db_file, ttl_days=90):
"""Check IOC database for expired indicators based on TTL."""
with open(ioc_db_file, "r", encoding="utf-8", errors="replace") as f:
reader = csv.DictReader(f)
rows = list(reader)
now = datetime.utcnow()
expired = []
active = []
for row in rows:
date_str = row.get("first_seen", row.get("date", row.get("added", "")))
try:
added = datetime.fromisoformat(date_str.replace("Z", "+00:00").replace("+00:00", ""))
except (ValueError, AttributeError):
active.append(row)
continue
age_days = (now - added).days
if age_days > ttl_days:
expired.append({**row, "age_days": age_days})
else:
active.append(row)
return {
"total": len(rows), "active": len(active), "expired": len(expired),
"ttl_days": ttl_days, "expired_indicators": expired[:30],
}
def deduplicate_iocs(csv_file):
"""Deduplicate IOCs and merge metadata from multiple sources."""
with open(csv_file, "r", encoding="utf-8", errors="replace") as f:
reader = csv.DictReader(f)
rows = list(reader)
seen = {}
for row in rows:
key = row.get("indicator", row.get("ioc", row.get("value", ""))).strip().lower()
if key in seen:
seen[key]["sources"].add(row.get("source", ""))
seen[key]["count"] += 1
else:
seen[key] = {"indicator": key, "type": row.get("type", ""), "sources": {row.get("source", "")}, "count": 1, "first_row": row}
unique = [{"indicator": v["indicator"], "type": v["type"], "sources": list(v["sources"]), "occurrences": v["count"]}
for v in seen.values()]
return {
"original_count": len(rows), "unique_count": len(unique),
"duplicates_removed": len(rows) - len(unique),
"multi_source": [u for u in unique if u["occurrences"] > 1][:20],
"unique_iocs": unique[:50],
}
def generate_lifecycle_report(csv_file, ttl_days=90):
"""Generate full IOC lifecycle status report."""
ingested = ingest_ioc_feed(csv_file)
expiration = check_expiration(csv_file, ttl_days)
dedup = deduplicate_iocs(csv_file)
return {
"generated": datetime.utcnow().isoformat(),
"total_iocs": ingested["total_ingested"],
"unique_iocs": dedup["unique_count"],
"duplicates": dedup["duplicates_removed"],
"active": expiration["active"],
"expired": expiration["expired"],
"by_type": ingested["by_type"],
"ttl_days": ttl_days,
}
def _count_field(items, field):
counts = {}
for item in items:
val = item.get(field, "unknown")
counts[val] = counts.get(val, 0) + 1
return counts
def main():
parser = argparse.ArgumentParser(description="IOC Lifecycle Management Agent")
sub = parser.add_subparsers(dest="command")
e = sub.add_parser("extract", help="Extract IOCs from text")
e.add_argument("--file", required=True)
i = sub.add_parser("ingest", help="Ingest IOC feed CSV")
i.add_argument("--csv", required=True)
x = sub.add_parser("expire", help="Check IOC expiration")
x.add_argument("--csv", required=True)
x.add_argument("--ttl", type=int, default=90, help="TTL in days")
d = sub.add_parser("dedup", help="Deduplicate IOCs")
d.add_argument("--csv", required=True)
r = sub.add_parser("report", help="Full lifecycle report")
r.add_argument("--csv", required=True)
r.add_argument("--ttl", type=int, default=90)
args = parser.parse_args()
if args.command == "extract":
result = extract_iocs(args.file)
elif args.command == "ingest":
result = ingest_ioc_feed(args.csv)
elif args.command == "expire":
result = check_expiration(args.csv, args.ttl)
elif args.command == "dedup":
result = deduplicate_iocs(args.csv)
elif args.command == "report":
result = generate_lifecycle_report(args.csv, args.ttl)
else:
parser.print_help()
return
print(json.dumps(result, indent=2, default=str))
if __name__ == "__main__":
main()
process.py4.4 KB
#!/usr/bin/env python3
"""
Indicator Lifecycle Management Script
Manages IOC lifecycle: discovery, validation, deployment, monitoring, retirement.
Requirements: pip install requests
Usage:
python process.py --import-iocs iocs.csv --output lifecycle_db.json
python process.py --decay --db lifecycle_db.json
python process.py --review --db lifecycle_db.json --output review_report.json
"""
import argparse
import csv
import json
import sys
from datetime import datetime, timedelta
class IOCLifecycleManager:
def __init__(self):
self.indicators = {}
def add_indicator(self, ioc_type, value, source, confidence=50):
key = f"{ioc_type}:{value}"
self.indicators[key] = {
"type": ioc_type, "value": value, "source": source,
"confidence": confidence, "state": "discovered",
"created": datetime.utcnow().isoformat(),
"last_updated": datetime.utcnow().isoformat(),
"hit_count": 0, "fp_count": 0, "last_seen": None,
}
def apply_decay(self):
half_lives = {"ip": 30, "domain": 90, "hash": 365, "url": 60, "email": 180}
for key, ioc in self.indicators.items():
if ioc["state"] == "retired":
continue
hl = half_lives.get(ioc["type"], 90)
age = (datetime.utcnow() - datetime.fromisoformat(ioc["created"])).days
decay = 0.5 ** (age / hl)
ioc["confidence"] = max(0, int(ioc["confidence"] * decay))
if ioc["confidence"] < 10:
ioc["state"] = "under_review"
def review_indicators(self):
review = {"retire": [], "keep": [], "boost": []}
for key, ioc in self.indicators.items():
age = (datetime.utcnow() - datetime.fromisoformat(ioc["created"])).days
max_ages = {"ip": 90, "domain": 180, "hash": 730, "url": 120}
max_age = max_ages.get(ioc["type"], 180)
if age > max_age and ioc["hit_count"] == 0:
review["retire"].append(key)
ioc["state"] = "retired"
elif ioc["fp_count"] > 3:
review["retire"].append(key)
ioc["state"] = "retired"
elif ioc["hit_count"] > 5:
review["boost"].append(key)
ioc["confidence"] = min(100, ioc["confidence"] + 10)
else:
review["keep"].append(key)
return review
def get_stats(self):
states = {}
for ioc in self.indicators.values():
states[ioc["state"]] = states.get(ioc["state"], 0) + 1
return {
"total": len(self.indicators),
"by_state": states,
"avg_confidence": (
sum(i["confidence"] for i in self.indicators.values()) / len(self.indicators)
if self.indicators else 0
),
}
def load(self, filepath):
with open(filepath) as f:
self.indicators = json.load(f)
def save(self, filepath):
with open(filepath, "w") as f:
json.dump(self.indicators, f, indent=2)
def main():
parser = argparse.ArgumentParser(description="IOC Lifecycle Manager")
parser.add_argument("--import-iocs", help="CSV file with IOCs")
parser.add_argument("--decay", action="store_true", help="Apply confidence decay")
parser.add_argument("--review", action="store_true", help="Review indicators")
parser.add_argument("--stats", action="store_true", help="Show statistics")
parser.add_argument("--db", default="lifecycle_db.json", help="Database file")
parser.add_argument("--output", default="lifecycle_report.json")
args = parser.parse_args()
mgr = IOCLifecycleManager()
try:
mgr.load(args.db)
except FileNotFoundError:
pass
if args.import_iocs:
with open(args.import_iocs) as f:
reader = csv.DictReader(f)
for row in reader:
mgr.add_indicator(
row.get("type", "ip"), row.get("value", ""),
row.get("source", "import"), int(row.get("confidence", 50)),
)
mgr.save(args.db)
if args.decay:
mgr.apply_decay()
mgr.save(args.db)
if args.review:
result = mgr.review_indicators()
mgr.save(args.db)
print(json.dumps(result, indent=2))
if args.stats:
print(json.dumps(mgr.get_stats(), indent=2))
if __name__ == "__main__":
main()