- 23 Nov 2022
- 5 Minutes to read
-
PDF
Configure threat score
- Updated on 23 Nov 2022
- 5 Minutes to read
-
PDF
The topic describes how Traceable provides you flexibility by letting you decide custom scores that you want to give to a specific type of anomaly and security events. Threat scoring in Traceable comprises configuring a customized base score for a detected anomaly, for the type of security event, and finally categorizing the threat actors in different categories based on their score.
Anomalies are deviations from normal behavior. A deeper analysis of anomalies and well-known Common Vulnerabilities and Exposures (CVE) patterns leads to security events detection. Traceable detects user who carry out anomalous activities and marks them as monitored users. A user remains a monitored user until it carries out at least one attack. Once Traceable detects that a user has attempted attack, the monitored user becomes a threat actor.
The following flow chart gives a high-level overview of threat scoring:
Scoring
The threat score page lets you configure scores for:
- Anomaly
- Security event
- Threat actor score
Anomaly score
You can configure a score for an anomaly. This score is the same for all types of detected anomaly. The default value is 1. You can set a value between 1 and 10. Every time a user generates an anomaly, it's score increases by the configured value. For example, if you have configured the anomaly score as 2 for each anomaly and the user generates five anomalies, then the total score would be 2*5 = 10.
Security event score
Security events are categorized into four different categories, high severity, medium severity, and low. You can customize the score for each event category between 1 and 10. The default values are:
- Critical - 10
- High - 3
- Medium - 2
- Low - 1
The table at the bottom of the page lists the different categories of critical, high, medium, and low security events.
The security event score adds to the threat score of the threat actor. A threat actor may create security events on different APIs. APIs can be high, medium, or low risk. You can view the different categories of APIs with their risk score on the API Endpoints page. You can choose which types of security events add to the threat score of a threat actor. You can choose from the following:
- All events - Add the security event score of all the security events that the threat actor creates irrespective of the API (critical, high, medium, or low risk).
- Events affecting high-risk APIs - You can choose the security events that affect only the high-risk APIs. The advantage of choosing this option is that it lets you focus on threats of high-risk APIs.
Downgrade severity
There can be cases when Traceable has detected an attack, however, the application itself has rejected the request with an error code. In such cases, you may wish that the threat score should not be increased when the application itself is robust enough to handle the attack. One criteria to identify such cases is the response code. You can configure the error status code regex in Traceable. When the error status code regex matches, you have a choice to:
- Ignore that request for scoring
- Downgrade the severity by one step
- Downgrade the severity by two steps
For example, if the current severity is critical and you downgrade by one step, then the new severity would be high. In such a case the new score of high severity would apply. Make sure to click on Save button for the changes to apply.
Increase scoring for IP addresses
Traceable keeps a track of reputation of individual IP address. You can view the reputation of the IP address by navigating to API Protection > Threat Actors. Click on any threat actor to view the IP reputation of that threat actor as shown in the screenshot below:
You can increase the score of the IP address by configuring a value. For example, if you see that an IP address has an IP reputation which falls under Critical risk (refer the screenshot above), then you may want to increase the score by 5 points or a value that you feel appropriate (refer the screenshot below). You can use this method to rapidly increase the threat score of the threat actor that is using an IP address whose reputation is already marked critical. If auto-blocking is configured, you can use this to block the threat actor sooner.
Threat score threshold
The addition of anomaly score and security event score gives the threat actor score. The threat actor score graph displays the active threat actors in the last seven days. You can configure the threshold for categorizing the threat actors in the following four categories:
- Low - Default threat score between 0 and 10.
- Medium - Default threat score between 11 and 20.
- High - Default threat score between 21 -75
- Critical - Default threat score between 76 - 100
You can move the slider in the graph to adjust the scores as per your requirement. For example, if you want the threat actor category to start from medium, you can move the first slider (from the left-hand side) to zero. This will categorize threat actors into medium, high, and critical categories.
Navigate to API Protection > Setting > Threat Scoring page to configure the scores and Auto Blocking.
Note:
A change in the scoring applies to all the future security events and anomalies.Auto blocking
The auto-blocking of threat actor option lets you configure if you would want to block a threat actor if its score has reached a critical level. Configuring auto-blocking is advantageous in the case of an ongoing attack on your API infrastructure. You can also choose to not take any action. Auto-blocking is dependent on the critical score (configured from the Scoring tab) of the threat-actor.
Blocking or allowing priority
In Traceable, a threat actor can be blocked by manually moving it to deny or suspend list, by rate-limiting, or auto-blocking. In case of a conflict, the following order of blocking preference is followed in descending order:
Blocking or allowing priority | Description |
---|---|
IP address(s) allowed | Never block traffic from allowed IP address(s). |
Threat actor(s) allowed | Never block traffic from any IP address(s) ever used by the threat actor. |
Custom signature rule request allow | Never block traffic if matching a custom rule. |
Custom signature rule request blocking | Block individual request if it matches a custom rule. |
Signature-based (safe-crs) request blocking | Block individual request if matching a signature rule. |
All IP blocked except | Block all IP address(s) except the listed range of IP address(s). |
IP blocked | Block specific IP addresses or a range of IP addresses. |
Threat actor blocked | Block IP address(s) ever used by the specific threat actor. |
Region blocked all except | Block all regions except the ones listed. |
Region blocked | Block specific regions. |
Rate limiting blocking | Block if rate limit is exceeded. |
Critical, high, medium, and low category security events
The following table details all the security events in the high, medium, and low categories.
Threat Category - Anomalies | Threat Category - Malicious Activities | ||
---|---|---|---|
Low | Medium | High | Critical |
Remote file inclusion | Scanner detection | HTTP protocol attacks | Java Log4j: JNDI and RCE Dos exploitation |
Session fixation | Local file inclusion | Remote code execution | Java spring core: RCE |
Invalid enumerations | Server side request forgery | Node.js injection | |
Value out-of-range | Cross site scripting (XSS) | ||
Type anomaly | SQL injection (SQLi) | ||
Content type anomaly | Java application attacks | ||
Content size anomaly | XML external entity injection (XXE) | ||
Unrecognized field | Missing field | ||
Unrecognized field (malicious) | |||
Authorization bypass |