Overview
This page outlines the way Traceable defines threat scoring as it relates to the different security event types and threat actors.
Threat Scoring (Security Events)
Traceable provides four different categories of events - Anomalous, Medium, High, Critical. When a security event is detected, the defined "threat score" for the given event's categorization is added to a threat actor's threat score.
By default each category will add to a threat actor's threat score as follows:
- Anomaly - 1
- Medium - 2
- High - 3
- Critical - 10
The table below details the events and their categorizations:
Threat Category: Anomalies
|
Threat Category: Malicious Activities
|
||
---|---|---|---|
Low |
Medium |
High |
Critical |
Remote File Inclusion |
Scanner Detection |
HTTP Protocol Attacks |
Java Log4j: JNDI and RCE DoS Exploitation |
Session Fixation |
Local File Inclusion |
Remote Code Execution |
Java Spring Core: RCE |
Invalid Enumerations |
Server Side Request Forgery (SSRF) |
NodeJS Injection |
|
Value Out of Range |
|
Cross Site Scripting (XSS) |
|
Type Anomaly |
|
SQL Injection |
|
Unexpected User Agent |
|
Java Application Attacks |
|
Unexpected HTTP Response Code |
|
XML External Entity Injection (XXE) |
|
Content Type Anomaly |
|
Missing Field |
|
Content Size Anomaly |
|
Unrecognized Field (Malicious) |
|
Unrecognized Field |
|
Authorization Bypass |
|
Each category can be customized to produce a score that fits an organization's threat model - within API Protection -> Threat Scoring you can change the amount that will be contributed to a threat actor's score as follows:
Threat Actors
A threat actor is identified by a user ID, for example, an email ID. If the user ID is not available, the IP address of the threat actor is displayed. Traceable assigns a threat severity of Low, Medium, High, or Critical to each threat based on the volume and category of attacks they are conducting.
The thresholds for each severity can be customized similarly to threat scoring for event types. If there was a need to increase the threshold for when a threat actor is deemed critical the required score to be for a critical actor could be adjusted to 99 for example and the same flexibility applies to each severity level.
IP Reputation
Traceable can also take into account the reputation of a given threat actor's IP address. Meaning, if an attack comes in from an actor with a known bad IP reputation we can adjust the scoring impact for those attacks. Traceable provides four categories for IP reputation risk: low, medium, high, critical.