Threat actors
  • 20 Jul 2022
  • 3 Minutes to read

Threat actors


Threats are a prominent actionable category within Traceable. Threats typically mean an ongoing attack that needs attention and resolution. Traceable analyzes malicious activity by authenticated or anonymous users to identify threats. This threat activity information is combined with the previous activity report into an attack timeline. 

In the Threats section of the platform, Traceable displays both the active threats and threats that have not been resolved or mitigated. Traceable assigns a threat severity of High, Medium, or Low to each threat based on the volume and other information about malicious activity. The Threats view is independent of the time window that you choose in the top menu bar. 

Traceable identifies the threats by the threat actor. A threat actor is identified by a user ID, for example, an email ID. If the user ID is not available, the IP address of the threat actor is displayed.

Note

Traceable does not display individual normal-users (a user who has not carried out any suspicious activity). Clusters of common user activities can be viewed in the User Behavior section of the UI. Users who have conducted at least one malicious activity are identified as a threat actor and displayed in the Treats section.


Threat detection

Traceable starts security event detection by observing the traffic flow through the APIs Endpoints to builds the API Specification and insights for each of the parameters. These insights about the traffic flow are a combination of the baseline for a parameter type, value and usage, such as patterns of request and response. Traceable, for example, observes the parameters within API endpoints, the traffic flow in authorized user sessions, the sequence of API calls, and so on. 

To identify threats, Traceable establishes a baseline. Traceable then detects any requests and responses where the parameters deviate from the established baseline. These deviations are identified as anomalies. These anomalies are further analyzed to identify if the anomalous activity is malicious. If it is an anomalous activity, a security event is raised. When Traceable detects anomalous behavior, it starts observing the user that triggered it. This user is now called a monitored user. Traceable closely monitors all further communication from this user.

Anomalies and security events have different severity levels based on multiple factors. Once the monitored user crosses a certain anomaly threshold level and displays some malicious behavior (security events are identified in their requests), they become a threat-actor. 

Navigate to the API Protection > Threat Actor section of the platform to view all the identified threats. By default, the platform displays the Active threats, the most recent active threat actors being at the top. You can also sort the threat list based on threat creation time or score by clicking on the Most Recent drop-down list. 


Threat actor mitigation

You can mitigate the threats by changing their state from the threat PROFILE page. The state that you select for the threat applies to it immediately. When you mitigate the threat by assigning it a specific status, the threat moves from the Active list or category to its new state. You can re-categorize the threat to a different state based on the new inputs that DefenseAI provides. If the threat is put into a Suspend or Deny state, any further activity by these actors will be blocked once the blocking policy propagates into Traceable modules (~15 seconds). 

Following is a short demo to show how to take action on a specific threat actor:


The following table defines each state.

Threat stateDescription
Active

The default state of the threat when it is reported by Traceable.

Monitored
A user that has not attacked the system, however, is being monitored for suspicious activities.
Allow

Move the threat to this state when want to allow access to the system irrespective of whether the actives by the actor are malicious or not.

Resolve

Move the threat to this state if you are confident that it is no longer a threat. This action resets Threat severity to 0. Traceable reports the threat actor again if it finds any malicious activity from it. In such a case the threat is listed in the Active list.

Snooze

Move the threat to this state if you want to allow the threat actor temporarily. You can choose snooze duration from a pre-defined time range, starting from 1-hour up to a week.

Suspend

Move the threat to this state if you want to temporarily deny access to the threat actor. You can choose the suspension duration from a pre-defined time range, starting from 1-hour up to a week.

Deny

Move the threat to this state if you want to completely block access for a threat actor. 

If the users on the suspend or deny list use additional IP addresses, those IP addresses are also blocked. Traceable internally maintains a list of such IP addresses as ACL (access control list) policy. All such users are blocked from future access until their suspension is revoked or they are removed from the deny list.


Was this article helpful?