Auto expiration of C2 artifacts.

[pedramamini]

Consider for example the C2 IPs for WannaCry from https://www.lastline.com/blog/wannacry-ransomware/:

The Amazon IPs for example can be quick to recycle, resulting in a false positive opportunity. We want auto aging of C2 artifacts on the following passive attribute:

• [ ] Hard coded date or time delta.

The following are active measures, that we'll save for manual / net-assess:

• Custom check for existence of C2 endpoint.
• Generic check for change in OS or port fingerprint etc.
• Reverse DNS lookups (how many domains are hosted on this IP).
• Port scan baseline and change detection.

[pedramamini]

Let's simplify this. Drop "Expiration Type", rename "Expiration Timestamp" to "Expiration Date". Have a daily background job that runs and for all artifacts at or after the expiration date:

1. Change the state of that artifact to whatever the user has designated as the "Retired State".
2. Add a comment to the artifact stating that it was automatically expired.
3. Add an entry to the activity log (see screenshot below) stating that the artifact was automatically expired.