close
Gartner Report:
Innovation Insight for
Security Orchestration,
Automation and Response DOWNLOAD NOW

Best Practices: Indicator Rating and Confidence

ThreatConnect enables users to assign a Threat Rating and Confidence to every single indicator... but what do those numbers really represent?  In order to enable your organization to make the best decisions, it's important to standardize on the connotation attached to these ratings.  When your analysts, defensive integrations, and leadership all speak the same language regarding indicator impact, you can make more timely and accurate decisions.


Indicator Rating and Confidence --> https://youtu.be/B-ZPaMcqozg

Understanding Threat Rating

ThreatConnect allows you to assign each indicator a Threat Rating, measured as 0-5 Skulls.  Within the scope of your organization, you can define the difference between a 1 Skull indicator and a 5 Skull indicator.  If you're having trouble making such decisions, or want your indicator ratings to match those across the ThreatConnect Cloud, it may be helpful to look at the Skull level definitions implemented by the ThreatConnect Intelligence Research Team:

ThreatConnect-Skull-Chart-0

  • Unknown (0 Skulls): There is not enough info to assess Threat Level.

    Example -- "I'm still working on the indicators in this Email's header; I don't know anything about that SMTP server yet."

    ThreatConnect-Skull-Chart-1

  • Suspicious (1 Skull): There has been no confirmed malicious activity, but suspicious or questionable activity has been observed from an unknown threat.Example -- "I'm not sure why our users' laptops keep visiting this URL, but so far I can't see anything wrong with it."ThreatConnect-Skull-Chart-2
  • Low Threat (2 Skulls): This indicator represents an unsophisticated adversary -- it may be purely opportunistic and ephemeral, or indicate pre-compromise activity.Example -- "We see scans on that port from IP's in that netblock all day."ThreatConnect-Skull-Chart-3
  • Moderate Threat (3 Skulls): This indicator may represent a capable adversary -- their actions are moderately directed and determined, and the indicator corresponds to the delivery/exploitation/installation phase.Example -- "That file hash represents a document pretending to be a Corporate Memo specifically targeting our company's HR Department."ThreatConnect-Skull-Chart-4
  • High Threat (4 Skulls): This indicator can be attributed to an advanced adversary, and represents that targeted and persistent activity has already taken place.Example -- "The callback address from that targeted 'Corporate Memo' masquerade is all over our access logs..."

ThreatConnect-Skull-Chart-5

  • Critical Threat (5 Skulls): This indicator represents a highly skilled and resourced adversary -- it should be reserved for those adversaries with unlimited capability and is critical at any phase of the intrusion.Example -- "Start ripping servers out of racks; we're bleeding customer data to that man-in-the-middle host!"

Using a standard Threat Rating will enable decision making across your organization, both at a human and machine level. If your Threat Intel analysts decide that an indicator is 5 Skulls, your Incident Response analysts can respond accordingly when it's discovered. The knowledge transfer of context surrounding indicators is essential to making sure you're putting your best foot forward.

Understanding Indicator Confidence

Of course, Threat Ratings only capture one dimension of context surrounding an indicator. Analysts rarely see such an attribution as a black and white problem. To address this, ThreatConnect allows you to model the confidence in your assessment as an integer between 0 and 100.

Screen Shot 2015-11-23 at 8.50.46 AM

Analyst-Derived Confidence

Confidence can be set manually -- perhaps an analyst has only found the tip of the iceberg in C2 redirects, and isn't ready to commit to their assessment of that entry point. Likewise, your confidence in your Threat Rating assessment may vary based on the timeliness of the available data, or knowledge about your adversary's tactics and techniques.

ThreatConnect assigns ratings on the following scale to denote separate levels of confidence:

  • Confirmed (90-100)
    The assessment has confirmed by other independent sources and/or through direct analysis. This assessment is logical and consistent with other information on the subject.Example -- "That executable is definitely dropping a known malware variant."
  • Probable (70-89)
    Though this assessment is not directly confirmed, it is logical and consistent with other information on the subject.Example -- "That URL has the same nonsensical 15-character path at the end as other known bad URL's, but is on another host."
  • Possible (50-69)
    The assessment is not confirmed, and is somewhat logical, but only agrees with some information on the subject.Example -- "That email address has the same username as the My Documents path when we reverse engineered this malware...but it's a pretty common name."
  • Doubtful (30-49)
    This assessment is possible, but not the most logical deduction, and cannot be corroborated or refuted by other information on the subject.Example -- "The scans came from an IP address rented from this VPS provider...we'll have to dig deeper to see if it's actually bad."
  • Improbable (2-29)
    This assessment is possible, but not the most logical deduction, and is directly refuted by other information on the subject.Example -- "The file calls back to a host which appears to have been taken down, maybe that C2 host has since been rotated."
  • Discredited (1)
    This assessment is confirmed to be inaccurateExample -- "That's not malware, that's just a poorly-written PowerPoint presentation."
  • Unassessed (0)
    No confidence has been assigned to this indicator.

Automated Confidence

As time goes by, your analysis may be less relevant as indicators become stale. ThreatConnect can actually decay the confidence of indicators over time if they're not being touched. This allows you to "age out" indicators that you saw years ago... they may have been high Threat Rating at one point, but your ability to say that may decrease over time.

This rate of confidence deprecation is configurable within each Organization, Source, or Community. Every day that an indicator goes untouched, that indicator's confidence will deprecate by the configured amount. ThreatConnect can even delete the indicator if its confidence reaches zero.

Putting Threat Rating and Confidence to Work

Threat Rating and Confidence are great measures for two separate dimensions of an indicator's relevance. An adversary that aggressively rotates C2 infrastructure may result in a slew of 5 Skull, 0 Confidence indicators. A script kiddy launching attacks from his attributable hacker domain may result in a handful of 2 Skull, 100 Confidence indicators.

The important thing about Threat Rating and Confidence is that you use them to drive decision-making. By implementing the above best practices, you can begin to leverage the analysis that you've modeled in each indicator's respective ratings. You can write a TC Exchange application to extract all high-confidence 5 Skull indicators to initiate scans within your network. Alternatively, you could leverage an existing TC Exchange application written in conjunction with one of our partners to automatically block or alert on indicators that meet such parameters.

Standardizing on the meaning of Threat Rating and Confidence allows you to take action within the scope of your organization or contribute to the greater community.   You worked hard to find and triage all those indicators; now make them work for you!

For more information on ThreatConnect's Threat Rating and Confidence, please download our "Evilness Rating" tool here.

Screen-Shot-2015-11-19-at-1.19.29-PM

ABOUT THE AUTHOR

Drew Gidwani is the Director of Analytics at ThreatConnect. He drives the health and scale of ThreatConnect customers' threat intelligence operations by identifying and addressing problems at the strategic and tactical levels. Previously, Drew worked for the Department of Defense where he leveraged his varied analysis experiences to scale growing intelligence teams in the face of the ever-changing threats we face today. Drew holds a B.S. from Carnegie Mellon University and an M.S. from Johns Hopkins University. He currently resides in Virginia with his wife and fierce warrior dog named Gimli.