Configure threat score
  • 23 Nov 2022
  • 5 Minutes to read

Configure threat score


The topic describes how Traceable provides you flexibility by letting you decide custom scores that you want to give to a specific type of anomaly and security events. Threat scoring in Traceable comprises configuring a customized base score for a detected anomaly, for the type of security event, and finally categorizing the threat actors in different categories based on their score. ‌ 

Anomalies are deviations from normal behavior. A deeper analysis of anomalies and well-known Common Vulnerabilities and Exposures (CVE) patterns leads to security events detection. Traceable detects user who carry out anomalous activities and marks them as monitored users. A user remains a monitored user until it carries out at least one attack. Once Traceable detects that a user has attempted attack, the monitored user becomes a threat actor.

The following flow chart gives a high-level overview of threat scoring:


Scoring

The threat score page lets you configure scores for:

  • Anomaly
  • Security event
  • Threat actor score

Anomaly score

You can configure a score for an anomaly. This score is the same for all types of detected anomaly. The default value is 1. You can set a value between 1 and 10. Every time a user generates an anomaly, it's score increases by the configured value. For example, if you have configured the anomaly score as 2 for each anomaly and the user generates five anomalies, then the total score would be 2*5 = 10. 

Security event score

Security events are categorized into four different categories, high severity, medium severity, and low. You can customize the score for each event category between 1 and 10. The default values are:

  • Critical - 10
  • High - 3
  • Medium - 2
  • Low - 1

The table at the bottom of the page lists the different categories of critical, high, medium, and low security events. 


The security event score adds to the threat score of the threat actor. A threat actor may create security events on different APIs. APIs can be high, medium, or low risk. You can view the different categories of APIs with their risk score on the API Endpoints page. You can choose which types of security events add to the threat score of a threat actor. You can choose from the following:

  • All events - Add the security event score of all the security events that the threat actor creates irrespective of the API (critical, high, medium, or low risk).
  • Events affecting high-risk APIs - You can choose the security events that affect only the high-risk APIs. The advantage of choosing this option is that it lets you focus on threats of high-risk APIs. 

Downgrade severity

There can be cases when Traceable has detected an attack, however, the application itself has rejected the request with an error code. In such cases, you may wish that the threat score should not be increased when the application itself is robust enough to handle the attack. One criteria to identify such cases is the response code. You can configure the error status code regex in Traceable. When the error status code regex matches, you have a choice to:

  • Ignore that request for scoring
  • Downgrade the severity by one step
  • Downgrade the severity by two steps

For example, if the current severity is critical and you downgrade by one step, then the new severity would be high. In such a case the new score of high severity would apply. Make sure to click on Save button for the changes to apply. 

Increase scoring for IP addresses

Traceable keeps a track of reputation of individual IP address. You can view the reputation of the IP address by navigating to API Protection > Threat Actors. Click on any threat actor to view the IP reputation of that threat actor as shown in the screenshot below:

You can increase the score of the IP address by configuring a value. For example, if you see that an IP address has an IP reputation which falls under Critical risk (refer the screenshot above), then you may want to increase the score by 5 points or a value that you feel appropriate (refer the screenshot below). You can use this method to rapidly increase the threat score of the threat actor that is using an IP address whose reputation is already marked critical. If auto-blocking is configured, you can use this to block the threat actor sooner. 


Threat score threshold

The addition of anomaly score and security event score gives the threat actor score. The threat actor score graph displays the active threat actors in the last seven days. You can configure the threshold for categorizing the threat actors in the following four categories:

  • Low - Default threat score between 0 and 10.
  • Medium - Default threat score between 11 and 20.
  • High - Default threat score between 21 -75
  • Critical - Default threat score between 76 - 100

You can move the slider in the graph to adjust the scores as per your requirement. For example, if you want the threat actor category to start from medium, you can move the first slider (from the left-hand side) to zero. This will categorize threat actors into medium, high, and critical categories. 

Navigate to API Protection > Setting > Threat Scoring page to configure the scores and Auto Blocking.

Note:

A change in the scoring applies to all the future security events and anomalies.

Auto blocking

The auto-blocking of threat actor option lets you configure if you would want to block a threat actor if its score has reached a critical level. Configuring auto-blocking is advantageous in the case of an ongoing attack on your API infrastructure. You can also choose to not take any action. Auto-blocking is dependent on the critical score (configured from the Scoring tab) of the threat-actor.


Blocking or allowing priority

In Traceable, a threat actor can be blocked by manually moving it to deny or suspend list, by rate-limiting, or auto-blocking. In case of a conflict, the following order of blocking preference is followed in descending order:

Blocking or allowing priority
Description
IP address(s) allowed
Never block traffic from allowed IP address(s).
Threat actor(s) allowed
Never block traffic from any IP address(s) ever used by the threat actor.
Custom signature rule request allow
Never block traffic if matching a custom rule.
Custom signature rule request blocking
Block individual request if it matches a custom rule.
Signature-based (safe-crs) request blocking
Block individual request if matching a signature rule.
All IP blocked except
Block all IP address(s) except the listed range of IP address(s).
IP blocked
Block specific IP addresses or a range of IP addresses.
Threat actor blocked
Block IP address(s) ever used by the specific threat actor.
Region blocked all except
Block all regions except the ones listed.
Region blocked
Block specific regions.
Rate limiting blocking
Block if rate limit is exceeded.


Critical, high, medium, and low category security events

The following table details all the security events in the high, medium, and low categories.

Threat Category - AnomaliesThreat Category - Malicious Activities
LowMediumHighCritical
Remote file inclusionScanner detectionHTTP protocol attacksJava Log4j: JNDI and RCE Dos exploitation
Session fixationLocal file inclusionRemote code executionJava spring core: RCE
Invalid enumerationsServer side request forgeryNode.js injection
Value out-of-range
Cross site scripting (XSS)
Type anomaly
SQL injection (SQLi)
Content type anomaly

Java application attacks
Content size anomaly

XML external entity injection (XXE)
Unrecognized field

Missing field


Unrecognized field (malicious)


Authorization bypass



Was this article helpful?

What's Next