CARIOCA: prioritizing the use of IoC by threats assessment shared on the MISP platform

As the use of information systems exponentially increases, every organization is exposed to cyber-attacks. To detect and mitigate the damage caused by such attacks, organizations need to share information extracted from the analysis of known ones. Intrusion detection (IDS) and intrusion prevention (IPS) systems use information on known threats to detect and prevent attack re-execution. Given the large amount of information usually available for known attacks, restricting such amount only to really valuable information is necessary to allow protection systems to work more efficiently. One of the main challenges in cyber threat intelligence (CTI) is to filter relevant information and eliminate obsolete data. The recently published RFC 9424 emphasizes the need to produce such systems. In this work, a methodology named comprehensive assessment and rating of IoCs via CADE algorithm (CARIOCA) is proposed, which aims to analyze data contained in the CTI platform to select a subset of indicators of compromise (IoCs) considered most relevant for protection systems. Through CARIOCA, IoCs evaluation based on three level scorings is proposed, considering sources’ reliability, IoCs freshness, and CTI reports quality using a new algorithm, named category attribute density evaluation (CADE). The state-of-the-art considers the qualities of an IoC or the estimated reliability of the CTI source to select relevant IoCs. By combining three scores, CARIOCA can comprehensively assess IoCs relevance. The results obtained in the experiments support CARIOCA’s effectiveness in selecting the most relevant subset of IoCs for IDS/IPS.