IC-Score overview

Applied Threat Intelligence in Google Security Operations SIEM assesses and labels indicators of compromise (IOCs) with an Indicator Confidence Score (IC-Score). The IC-Score aggregates the information from over 100 open source and Mandiant-proprietary intelligence sources into a single rating. Using machine learning, each source of intelligence is assigned a confidence based on the quality of the intelligence they provide, which is determined by human assessments and large-scale data-driven methods. IC-Score captures the probability that a given indicator is associated with malicious activity (a true positive). For more information on how an indicator is evaluated for IC-Score source, see IC-Score source descriptions.

The IC-Score represents the probability that the indicator is malicious, a true positive. To calculate the final probability of maliciousness, the machine learning model incorporates all information available about the indicator, weighted by the learned confidence for each source of information. Since there are only two possible outcomes, malicious or benign, all indicators start with a 50% probability of being either when no information is available. With each additional piece of information, that baseline score is pushed toward either a 0% probability of maliciousness (known benign) or a 100% probability of maliciousness (known malicious). Google Security Operations SIEM ingests indicators of compromise (IOC) curated by Applied Threat Intelligence with an IC-Score greater than 80. The following table describes the range of possible scores.

Score Interpretation
<= 40% Known benign or noise
> 40% and < 60% Indeterminate/unknown
>= 60% and < 80% Suspicious
>= 80% Known malicious

Indicator aging information

The IC-Score system incorporates new information, refreshes enrichment data, and deletes old information during the following scoring events.

  • A new observation of the indicator on one of our OSINT sources or proprietary Mandiant monitoring systems

  • Indicator-specific timeout periods for each source and enrichment

The timeout periods are determined by the last seen date of the indicator on the relevant source or enrichment. That is, breach analytics considers information to be stale and stops considering it as an active factor in calculating the score after a specified number of days when the indicator was last observed from a given source or when the information was updated by the enrichment service.Breach analytics stops considering timeout periods as an active factor in calculating the score.

The following table describes important timestamp attributes associated with an indicator.

Attribute Description
First seen The timestamp when an indicator was first observed from a given source.
Last seen The timestamp when an indicator was most recently observed from a given source.
Last updated The timestamp when an indicator's IC-Score or other metadata was most recently updated due to indicator aging, new observations, or other management processes.

IC-Score source description

The IC-Score explainers display why an indicator has a score that it does. The explainers show which categories of the system provided which confidence assessments about an indicator. To calculate the IC-Score, Applied Threat Analytics evaluates various proprietary and third-party sources. Each source category and specific source has a summarized count of returned malicious or benign verdict responses, along with an assessment of the source's data quality. The results are combined to determine the IC-Score. The following table provides detailed explanation of source categories.

Source Description
Botnet Monitoring The Botnet Monitoring category contains malicious verdicts from proprietary systems that monitor live botnet traffic, configurations, and command and control (C2) for indications of botnet infection.
Bulletproof Hosting The Bulletproof Hosting category contains sources that monitor registration and usage of bulletproof hosting infrastructure and services, which often provide services for illicit activities that are resilient to remediation or takedown efforts.
Crowdsourced Threat Analysis Crowdsourced Threat Analysis combines malicious verdicts from a wide variety of threat analysis services and vendors. Each responding service is treated as a unique response in this category with its own associated confidence.
FQDN Analysis The FQDN Analysis category contains malicious or benign verdicts from multiple systems that perform analysis of a domain, including the examination of a domain's IP resolution, registration, and whether the domain appears to be typosquatted.
GreyNoise Context The GreyNoise Context source provides a malicious or benign verdict based on data derived from GreyNoise Context service which examines contextual information about a given IP address, including ownership information and any benign or malicious activity observed by GreyNoise infrastructure.
GreyNoise RIOT The GreyNoise RIOT source assigns benign verdicts based on the GreyNoise RIOT service, which identifies known benign services that cause common false positives based on observations and metadata about the infrastructure and services. The service provides two levels of confidence in its benign designation, which we incorporate as separate appropriately weighted factors in our score.
Knowledge Graph The Mandiant Knowledge Graph contains Mandiant Intelligence assessments of indicators derived from analysis of cyber intrusions and other threat data. This source contributes both benign and malicious verdicts to the indicator score.
Malware Analysis The Malware Analysis category contains verdicts from multiple proprietary static and dynamic malware analysis systems, including Mandiant's MalwareGuard machine learning model.
MISP: Dynamic Cloud Hosting (DCH) Provider The MISP: Dynamic Cloud Hosting (DCH) Provider provides benign verdicts based on multiple MISP lists that define network infrastructure associated with cloud hosting providers, such as Google Cloud and Amazon AWS. Infrastructure associated with DCH providers can be reused by a number of entities which makes it less actionable.
MISP: Educational Institution The MISP: Education Institution category provides benign verdicts based on the MISP list of university domains from around the world. An indicator's presence on this list indicates a legitimate association with a university and suggests the indicator should be considered benign.
MISP: Internet Sinkhole The MISP: Internet Sinkhole category provides benign verdicts based on the MISP list of known sinkhole infrastructure. Since sinkholes are used to observe and contain previously malicious infrastructure, the appearance on known sinkhole lists reduces the indicator score.
MISP: Known VPN Hosting Provider The MISP: Known VPN Hosting Provider category provides benign verdicts based on multiple MISP lists identifying known VPN infrastructure, including the vpn-ipv4 and vpn-ipv6 lists. VPN infrastructure indicators are assigned a benign verdict due to the large number of users that are associated with these VPN services.
MISP: Other The MISP: Other category serves as a default category for newly added MISP lists or other one-off lists that don't naturally fit into more specific categories.
MISP: Popular Internet Infrastructure The MISP: Popular Internet Infrastructure category provides benign verdicts based on MISP lists for popular web services, email services, and CDN services. The indicators on these lists are associated with common web infrastructure and should be considered benign.
MISP: Popular Website The MISP: Popular Websites category provides benign verdicts based the popularity of a domain across multiple domain popularity lists, including Majestic 1 Million, Cisco Umbrella, and Tranco. Presence across multiple popularity lists increases the confidence the domain is benign.
MISP: Trusted Software The MISP: Trusted software category provides benign verdicts based MISP lists of file hashes that are known to be legitimate or otherwise cause false positives in threat intel feeds. Sources include MISP lists like nioc-filehash and common-ioc-false-positives.
Spam Monitoring Spam Monitoring contains proprietary sources that collect and monitor indicators related to identified spam and phishing activity.
Tor The Tor source assigns benign verdicts based on multiple sources that identify Tor infrastructure and Tor exit nodes. Tor node indicators are assigned a benign verdict due to the volume of users associated with a Tor node.
URL Analysis The URL Analysis category contains malicious or benign verdicts from multiple systems that perform analysis of a URL's content and hosted files