The Amazon IPs for example can be quick to recycle, resulting in a false positive opportunity. We want auto aging of C2 artifacts on the following passive attribute:
[ ] Hard coded date or time delta.
The following are active measures, that we'll save for manual / net-assess:
Custom check for existence of C2 endpoint.
Generic check for change in OS or port fingerprint etc.
Reverse DNS lookups (how many domains are hosted on this IP).
Let's simplify this. Drop "Expiration Type", rename "Expiration Timestamp" to "Expiration Date". Have a daily background job that runs and for all artifacts at or after the expiration date:
Change the state of that artifact to whatever the user has designated as the "Retired State".
Add a comment to the artifact stating that it was automatically expired.
Add an entry to the activity log (see screenshot below) stating that the artifact was automatically expired.
Consider for example the C2 IPs for WannaCry from https://www.lastline.com/blog/wannacry-ransomware/:
The Amazon IPs for example can be quick to recycle, resulting in a false positive opportunity. We want auto aging of C2 artifacts on the following passive attribute:
The following are active measures, that we'll save for manual / net-assess: