Configure threat score

The topic describes how Traceable provides you flexibility by letting you decide custom scores that you want to give to a specific type of anomaly and security events. Threat scoring in Traceable comprises configuring a customized base score for a detected anomaly, for the type of security event, and finally categorizing the threat actors in different categories based on their score. ‌ 

Anomalies are deviations from normal behavior. A more in-depth analysis of anomalies and well-known Common Vulnerabilities and Exposures (CVE) patterns leads to security events detection. Traceable detects users who carry out anomalous activities and marks them as monitored users. A user remains a monitored user until it carries out at least one attack. Once Traceable detects that a user has attempted an attack, the monitored user becomes a threat actor.

The following flow chart gives a high-level overview of threat scoring:

Scoring

The threat score page lets you configure scores for:

• Anomaly
• Security event
• Threat actor score

Anomaly score

You can configure a score for an anomaly. This score is the same for all types of detected anomaly. The default value is 1. You can set a value between 1 and 10. Every time a user generates an anomaly, it's score increases by the configured value. For example, if you have configured the anomaly score as 2 for each anomaly and the user generates five anomalies, then the total score would be 2*5 = 10. 

Security event score

Security events are categorized into four different categories, high severity, medium severity, and low. You can customize the score for each event category between 1 and 10. The default values are:

• Critical - 10
  
• High - 3
• Medium - 2
• Low - 1

The table at the bottom of the page lists the different categories of critical, high, medium, and low security events. 

The security event score adds to the threat score of the threat actor. A threat actor may create security events on different APIs. APIs can be high, medium, or low risk. You can view the different categories of APIs with their risk score on the API Endpoints page. You can choose which types of security events add to the threat score of a threat actor. You can choose from the following:

• All events - Add the security event score of all the security events that the threat actor creates irrespective of the API (critical, high, medium, or low risk).
• Events affecting high-risk APIs - You can select the security events that affect only the high-risk APIs. The advantage of selecting this option is that it lets you focus on threats of high-risk APIs. 

Downgrade severity

There can be cases when Traceable has detected an attack, however, the application itself has rejected the request with an error code. In such cases, you may wish that the threat score should not be increased when the application itself is robust enough to handle the attack. One criterion to identify such cases is the response code. You can configure the error status code regex in Traceable. When the error status code regex matches, you have a choice to:

• Ignore that request for scoring
• Downgrade the severity by one step
• Downgrade the severity by two steps

For example, if the current severity is critical and you downgrade by one step, then the new severity would be high. In such a case, the new score of high severity would apply. Make sure to click on Save button for the changes to apply. 

Increase scoring for IP addresses

Traceable keeps a track of reputation of individual IP addresses. You can view the IP reputation indicator by navigating to API Protection → Threat Actors. Click on any threat actor to view the IP reputation of that threat actor, as shown in the screenshot below:

You can increase the score of the IP address by configuring a value. For example, if you see that an IP address has an IP reputation which falls under Critical risk (refer to the screenshot above), then you may want to increase the score by 5 points, or a value that you feel appropriate (refer to the screenshot below). You can use this method to rapidly increase the threat score of the threat actor who is using an IP address whose reputation is already marked critical. If auto-blocking is configured, you can use this to block the threat actor sooner. 

Threat score threshold

The addition of anomaly score and security event score gives the threat actor score. The threat actor score graph displays the active threat actors in the last seven days. You can configure the threshold for categorizing the threat actors in the following four categories:

• Low - Default threat score between 0 and 10.
• Medium - Default threat score between 11 and 20.
• High - Default threat score between 21 -75
• Critical - Default threat score between 76 - 100

You can move the slider in the graph to adjust the scores as per your requirement. For example, if you want the threat actor category to start from medium, you can move the first slider (from the left-hand side) to zero. This will categorize threat actors into medium, high, and critical categories. 

Navigate to API Protection > Setting > Threat Scoring page to configure the scores and Auto Blocking.

Auto-blocking

Auto-blocking, as the name suggests, lets you block a user when its threat score has reached a critical level. Configuring auto-blocking is advantageous in the case of an ongoing attack on your API infrastructure. You can also choose not to take any action. Auto-blocking is dependent on the critical score (configured from the Scoring tab) of the threat-actor.

Exclude users

Traceable provides you with an option to add a regular expression to exclude a set of users from auto-blocking. When the regular expression is added, the users matching the expression are not blocked, regardless of their threat score. You can add one or more than one regular expression to exclude the users. In the screenshot below, all the users of domain traceable.ai or traceable.com with username having the word user and any number from 1 to 9 would not be blocked.

IP address allowlist

Make a note of the following when you create custom policies. If you are going to create a Malicious source policy of the type IP range with Allow action from Protection → Settings → Custom policy, then:

• If you have other policies with an action to block requests, then the Allow action of Malicious source policy overrides and no request would be blocked.
• If you have configured rate limiting, DLP, and enumeration policies with a block or alert action, then the Allow action of Malicious source policy overrides and no request would be blocked neither any would be sent.

The above-mentioned Malicious source policy configuration has no effect on Custom signature policies. The Out-of-the-box detections, that is, the detections enabled from Protection → Settings → Detection policy, would continue to happen. If you wish to allow IP addresses from such detection, click on the Exclusions tab to create an exclusions rule.

Critical, high, medium, and low category security events

The following table details all the security events in the high, medium, and low categories.