Playing with the idea to feed into other attribution tools. Calulates the difficulty to deceive given an IOC type.
| IOC type | Overall difficulty | Trivial (1) | Medium (2) | Hard (3) |
|---|---|---|---|---|
| IP | 2 | VPN hosting provider e.g. rentable IP space. Has many ports exposed | Bastian host few ports exposed. Contained within a company which has few security functions/mechanisms | Bastian host within a secure organisation - no ports exposed externally, minimal externally facing services for same subnet |
| Hash | 1 | Bit level change to modify hash | Code section modification/behaviour modification | Custom tool to emulate behaviour and tactics of another actor |
| File path | 1 | Filename change / file path change within local system | File path change / sdb artifacts removed | Common tool that requires set install location. Widely signatured |
deception difficulty = ((level / overall difficulty) * 100)