Decreasing Dwell Time - How Long Intruders Go Undetected
The evaluation of technical threat intelligence data is a nascent art. When evaluating Indicator sources many focus on counting the number of indicators the source has. The next step in evaluating indicator sources is usually based upon the number of True Positive alerts generated by the IoCs compared to the False Positive alerts. This is a good method of determining how much time your analysts will be spent evaluating useful alerts versus chasing non-useful alerts.
Figure 1: IoC Age