Search…
Threat scoring
The topic describes how Traceable provides you flexibility by letting you decide custom scores that you want to give to a specific type of anomaly and security events.
Threat scoring in Traceable comprises configuring a customized base score for a detected anomaly, for the type of security event, and finally categorizing the threat actors in different categories based on their score. ‌
Anomalies are deviations from normal behavior. A deeper analysis of anomalies and well-known Common Vulnerabilities and Exposures (CVE) patterns leads to security events detection. Traceable detects user who carries out anomalous activities and marks them as monitored users. A user remains a monitored user until it carries out at least one attack. Once Traceable detects an attack from a user, the monitored user becomes a threat actor.
The following flow chart gives a high-level overview of threat scoring.

Scoring

The threat score page lets you configure scores for:
    Anomaly
    Security event
    Threat actor score

Anomaly score

You can configure a score for an anomaly. This score is the same for all types of detected anomaly. The default value is 1. You can set a value between 1 and 10. Every time a user generates an anomaly, its score increases by the configured value. For example, if you have configured the anomaly score as 2 for each anomaly and the user generates five anomalies, then the total score would be 2*5 = 10.

Security event score

Security events are categorized into three different categories, high severity, medium severity, and low. You can customize the score for each event category between 1 and 10. The default values are:
    High severity - 3
    Medium severity - 2
    Low severity - 1
The table at the bottom of the page lists the different categories of high, medium, and low security events.
The security event score adds to the threat score of the threat actor. A threat actor may create security events on different APIs. APIs can be high, medium, or low risk. You can view the different categories of APIs with their risk score on the API Endpoints page. You can choose which types of security events add to the threat score of a threat actor. You can choose from the following:
    All events - Add the security event score of all the security events that the threat actor creates irrespective of the API (high, medium, or low risk).
    Events affecting high-risk APIs - You can choose the security events that affect only the high-risk APIs. The advantage of choosing this option that it lets your focus on threats on high-risk APIs.

Threat score threshold

The addition of anomaly score and security event score gives the threat actor score. The threat actor score graph displays the active threat actors in the last seven days. You can configure the threshold for categorizing the threat actors in the following four categories:
    Low - Default threat score between 0 and 10.
    Medium - Default threat score between 11 and 20.
    High - Default threat score between 21 -75
    Critical - Default threat score between 76 - 100
You can move the slider in the graph to adjust the scores as per your requirement. For example, if you want the threat actor category to start from medium, you can move the first slider (from the left-hand side) to zero. This will categorize threat actors into medium, high, and critical categories.
Navigate to Administration (
)> Threat Scoring page to configure the scores and Auto Blocking.
Custom threat score and auto blocking configuration
A change in the scoring applies to all the future security events and anomalies.

Auto blocking

The auto-blocking of threat actor option lets you configure if you would want to block a threat actor if its score has reached a critical level. Configuring auto-blocking is advantageous in the case of an ongoing attack on your API infrastructure. You can also choose to not take any action. Auto-blocking is dependent on the critical score (configured from the Scoring tab) of the threat-actor.

Blocking priority

In Traceable, a threat actor can be blocked by manually moving it to deny or suspend list, by rate-limiting, or auto-blocking. In case of a conflict, the following order of blocking preference is followed:
    Manual blocking (moving to deny or suspend list) - Highest priority
    Rate-limiting
    Auto-blocking - Lowest priority

High, medium, and low category security events

The following table details all the security events in the high, medium, and low categories.

High category security events

Event Name
SQL Injection
Cross-Site Scripting
Protocol attack
Remote Code Execution
NodeJS Application attacks
Java Application attacks - Deserialization attacks
Unknow param (Type 2) - Mass assignment -
Path Manipulation - Unknown Extension
Path Manipulation - Unknown Directory
Double Parameter
Required Field (Type 2)
XXE
BOLA

Medium category security event

Event Name
Local File Inclusion
SQL Data Leakage
SSRF - Unknown host bad reputation
Anomalous Content Type
Unexpected Content-Length
Anomalous Response Code (Type 2)
Anomalous Content-Length
Anomalous Content Type

Anomalies

Event Name
DoS Protection
Remote File Inclusion
Session Fixation
Unknown param (Type 1) - Mass assignment
Too long value (Layer 7 DoS) / Value out of range
Param type mismatch
Required Field (Type 1)
Unknown User Agent/ Unknown Device
Last modified 2mo ago