Formulating a Robust Pivoting Methodology

Cyber Threat Intelligence (CTI) operations are founded on the idea of being able to expand perspective to highlight likely adversary activity and artifacts related to such operations—commonly referred to as “pivoting.” Yet while pivoting remains a central aspect of CTI tradecraft, the concept lacks a robust, agreed definition among practitioners and is often distilled to little more than intuition in many applications.While this paper will not seek to completely “solve” the issue of a formal pivoting definition, by examining the nature and characteristics of Indicators of Compromise (IOCs) and even raw, unitary indicators, we can begin formulating a more robust approach to pivoting in practice. By viewing indicators as composite objects with various subcomponents, we arrive at a view where various pieces that make up the fundamental nature of the indicator can be used in various combinations to identify similarly-structured objects. More significantly, such patterns and combinations yield not just additional indicators through research and investigation, but they also shed light on fundamental adversary tendencies and behaviors.

This paper includes information surrounding:

• The practice of pivoting as a concept and a methodology
• The significance of Indicators of Compromise (IOCs)
• Indicators as composite objects
• Inferring adversary behaviors and uncovering attacker tendencies