- 22 Feb 2022
- 3 Minutes to read
-
Print
Configure threat score
- Updated on 22 Feb 2022
- 3 Minutes to read
-
Print
The topic describes how Traceable provides you flexibility by letting you decide custom scores that you want to give to a specific type of anomaly and security events.
Threat scoring in Traceable comprises configuring a customized base score for a detected anomaly, for the type of security event, and finally categorizing the threat actors in different categories based on their score.
Anomalies are deviations from normal behavior. A deeper analysis of anomalies and well-known Common Vulnerabilities and Exposures (CVE) patterns leads to security events detection. Traceable detects user who carries out anomalous activities and marks them as monitored users. A user remains a monitored user until it carries out at least one attack. Once Traceable detects an attack from a user, the monitored user becomes a threat actor.
The following flow chart gives a high-level overview of threat scoring.
Scoring
The threat score page lets you configure scores for:
- Anomaly
- Security event
- Threat actor score
Anomaly score
You can configure a score for an anomaly. This score is the same for all types of detected anomaly. The default value is 1. You can set a value between 1 and 10. Every time a user generates an anomaly, its score increases by the configured value. For example, if you have configured the anomaly score as 2 for each anomaly and the user generates five anomalies, then the total score would be 2*5 = 10.
Security event score
Security events are categorized into three different categories, high severity, medium severity, and low. You can customize the score for each event category between 1 and 10. The default values are:
- High severity - 3
- Medium severity - 2
- Low severity - 1
Note:
The table at the bottom of the page lists the different categories of high, medium, and low security events.
The security event score adds to the threat score of the threat actor. A threat actor may create security events on different APIs. APIs can be high, medium, or low risk. You can view the different categories of APIs with their risk score on the API Endpoints page. You can choose which types of security events add to the threat score of a threat actor. You can choose from the following:
- All events - Add the security event score of all the security events that the threat actor creates irrespective of the API (high, medium, or low risk).
- Events affecting high-risk APIs - You can choose the security events that affect only the high-risk APIs. The advantage of choosing this option that it lets your focus on threats on high-risk APIs.
Threat score threshold
The addition of anomaly score and security event score gives the threat actor score. The threat actor score graph displays the active threat actors in the last seven days. You can configure the threshold for categorizing the threat actors in the following four categories:
- Low - Default threat score between 0 and 10.
- Medium - Default threat score between 11 and 20.
- High - Default threat score between 21 -75
- Critical - Default threat score between 76 - 100
You can move the slider in the graph to adjust the scores as per your requirement. For example, if you want the threat actor category to start from medium, you can move the first slider (from the left-hand side) to zero. This will categorize threat actors into medium, high, and critical categories.
Navigate to Administration ()> Threat Scoring page to configure the scores and Auto Blocking.
Custom threat score and auto blocking configuration
Note:
A change in the scoring applies to all the future security events and anomalies.Auto blocking
The auto-blocking of threat actor option lets you configure if you would want to block a threat actor if its score has reached a critical level. Configuring auto-blocking is advantageous in the case of an ongoing attack on your API infrastructure. You can also choose to not take any action. Auto-blocking is dependent on the critical score (configured from the Scoring tab) of the threat-actor.
Blocking priority
In Traceable, a threat actor can be blocked by manually moving it to deny or suspend list, by rate-limiting, or auto-blocking. In case of a conflict, the following order of blocking preference is followed:
- Manual blocking (moving to deny or suspend list) - Highest priority
- Rate-limiting
- Auto-blocking - Lowest priority
High, medium, and low category security events
The following table details all the security events in the high, medium, and low categories.
High category security events
Event Name |
SQL Injection |
Cross-Site Scripting |
Protocol attack |
Remote Code Execution |
NodeJS Application attacks |
Java Application attacks - Deserialization attacks |
Unknow param (Type 2) - Mass assignment - |
Path Manipulation - Unknown Extension |
Path Manipulation - Unknown Directory |
Double Parameter |
Required Field (Type 2) |
XXE |
BOLA |
Medium category security event
Event Name |
Local File Inclusion |
SQL Data Leakage |
SSRF - Unknown host bad reputation |
Anomalous Content Type |
Unexpected Content-Length |
Anomalous Response Code (Type 2) |
Anomalous Content-Length |
Anomalous Content Type |
Anomalies
Event Name |
DoS Protection |
Remote File Inclusion |
Session Fixation |
Unknown param (Type 1) - Mass assignment |
Too long value (Layer 7 DoS) / Value out of range |
Param type mismatch |
Required Field (Type 1) |
Unknown User Agent/ Unknown Device |