Indicator expansion is a process of using one or more data sources to obtain more indicators of malicious activity by identifying those related to currently known indicators. Due to the many variables in how the process is carried out, it quickly becomes difficult to capture the process that leads to an expanded set of data. Keeping track of this process is important for description to other analysts. A compact description of the process is even necessary just for the analysts doing the work to keep track of their own process and which paths have been investigated, particularly in naming files.
This paper, presented at the IEEE/APWG eCrime Researcher Summit in 2013, proposes a method of succinctly capturing the process of indicator expansion in a deterministic yet flexible and extensible manner. The target audience is analysts and investigators engaged in indicator expansion or directly consuming results therefrom.