Threat actor mitigation
  • 30 Nov 2021
  • 1 Minute to read

Threat actor mitigation


The topic describes the actions that you can take to mitigate the identified threats.


You can mitigate the threats by changing their state from the threat PROFILE page. The state that you select for the threat applies to it immediately. When you mitigate the threat by assigning it a specific status, the threat moves from the Active list or category to its new state. You can re-categorize the threat to a different state based on the new inputs that DefenseAI provides. If the threat is put into a Suspend or Deny state, any further activity by these actors will be blocked once the blocking policy propagates into Traceable modules (~15 seconds).

Threat status

 The following table defines each state.

Threat state

Description
Active

The default state of the threat when it is reported by Traceable.

Allow

Move the threat to this state when want to allow access to the system irrespective of whether the actives by the actor are malicious or not.

Resolve

Move the threat to this state if you are confident that it is no longer a threat. This action resets Threat severity to 0. Traceable reports the threat actor again if it finds any malicious activity from it. In such a case the threat is listed in the Active list.

Snooze

Move the threat to this state if you want to allow the threat actor temporarily. You can choose snooze duration from a pre-defined time range, starting from 1-hour up to a week.

Suspend

Move the threat to this state if you want to temporarily deny access to the threat actor. You can choose the suspension duration from a pre-defined time range, starting from 1-hour up to a week.

Deny

Move the threat to this state if you want to completely block access for a threat actor. 

If the users on the suspend or deny list use additional IP addresses, those IP addresses are also blocked. Traceable internally maintains a list of such IP addresses as ACL (access control list) policy. All such users are blocked from future access until their suspension is revoked or they are removed from the deny list. For information on enabling blocking and creating IP address blocking rules, see WAF rules.


Was this article helpful?

What's Next