This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Jun 24, 2021
Cyber Threat Intelligence (CTI) operations are founded on the idea of being able to expand perspective to highlight likely adversary activity and artifacts related to such operations—commonly referred to as "pivoting." Yet while pivoting remains a central aspect of CTI tradecraft, the concept lacks a robust, agreed definition among practitioners and is often distilled to little more than intuition in many applications.
While this paper will not seek to completely "solve" the issue of a formal pivoting definition, by examining the nature and characteristics of Indicators of Compromise (IOCs) and even raw, unitary indicators, we can begin formulating a more robust approach to pivoting in practice. By viewing indicators as composite objects with various subcomponents, we arrive at a view where various pieces that make up the fundamental nature of the indicator can be used in various combinations to identify similarly-structured objects. More significantly, such patterns and combinations yield not just additional indicators through research and investigation, but they also shed light on fundamental adversary tendencies and behaviors.
This paper includes information surrounding: