Best Practices: Indicator Threat and Confidence Ratings

Overview

In ThreatConnect^®, you can assign a Threat Rating and associated Confidence Rating to each Indicator. In order to enable your organization to make the best decisions when determining the threat an Indicator poses, it’s important to standardize the connotation attached to these ratings. Doing so ensures that your analysts, defensive integrations, and leadership all speak the same language regarding Indicator impact and allows your organization to make more timely and accurate decisions.

Threat Rating

Understanding Threat Rating

An Indicator’s Threat Rating is measured on a scale of 0–5 skulls (). Within your organization, you can create a scale that defines the difference between an Indicator whose Threat Rating is 1 skull and an Indicator whose Threat Rating is 5 skulls. The following is one such Threat Rating scale:

• Unknown (0 skulls): There is not enough information to assess the Indicator’s threat level.

  Example: “I’m still reviewing the Indicators in an email’s header and I don’t know anything about the SMTP server yet.”

• Suspicious (): There has been no confirmed malicious activity associated with the Indicator; however, there has been suspicious or questionable activity associated with the Indicator observed from an unknown threat.

  Example: “I’m not sure why our users’ laptops keep visiting this URL, but so far I can’t see anything wrong with it.”

• Low Threat ( ): The Indicator represents an unsophisticated adversary that may be purely opportunistic and ephemeral or indicate pre-compromise activity.

  Example: “We see scans on that port from IP addresses in that netblock all day.”

• Moderate Threat (): The Indicator represents a capable adversary whose actions are moderately directed and determined, and the Indicator corresponds to the delivery/exploitation/installation phase.

  Example: “That file hash represents a document pretending to be a corporate memo specifically targeting our company’s human resources department.”

• High Threat( ): The Indicator can be attributed to an advanced adversary and indicates that targeted and persistent activity has already taken place.

  Example: “The callback address from that targeted ‘corporate memo’ masquerade is all over our access logs….”

• Critical Threat (): The Indicator represents a highly skilled and resourced adversary. This Threat Rating should be reserved for Indicators from adversaries with unlimited capability and that are critical at any phase of the intrusion.

  Example: “Start ripping servers out of the racks; we’re bleeding customer data to that man-in-the-middle host!”

Using a standard Threat Rating scale will aid the decision-making process across your organization, both at a human and at a machine level. For example, if your threat intelligence analysts set an Indicator’s Threat Rating to 5 skulls, your incident response analysts can respond accordingly when the Indicator is discovered. This knowledge transfer of context surrounding Indicators is essential to ensuring that you are putting your best foot forward.

Factors to Consider When Setting Threat Ratings

When setting an Indicator’s Threat Rating, consider the following factors:

• the capability (i.e., skills and resources) of the adversary or threat the Indicator represents;
• the determination (i.e., focus and persistence) of the adversary or threat the Indicator represents;
• the progression (e.g., phase in the Cyber Kill Chain) of the event or incident the Indicator represents.

Table 1 illustrates how the Threat Rating scale described in the “Understanding Threat Rating” section incorporates these factors.

Confidence Rating

Understanding Confidence Rating

An Indicator’s Threat Rating captures only one dimension of context surrounding the Indicator. To address this deficiency, ThreatConnect allows you to model the confidence in your Threat Rating assessment as an integer between 0 and 100, inclusive.

Analyst-Derived Confidence

Confidence Ratings can be set manually. For example, perhaps you have found only the tip of the iceberg in C2 redirects and aren’t ready to commit to your assessment of that entry point. Likewise, your confidence in a Threat Rating assessment may vary based on the timeliness of the available data or knowledge about the adversary’s tactics and techniques.

ThreatConnect allows you to assign Confidence Ratings on the following scale to denote separate levels of confidence in your assessment of an Indicator and the Threat Rating assigned to it:

• Confirmed (90–100): The assessment has been confirmed by other independent sources or through direct analysis and is logical and consistent with other information on the subject.

  Example: “That executable is definitely dropping a known malware variant.”

• Probable (70–89): Though the assessment is not directly confirmed, it is logical and consistent with other information on the subject.

  Example: “That URL has the same nonsensical 15-character path at the end as other known bad URLs; however, it is on another host.”

• Possible (50–69): The assessment is not confirmed, and it is somewhat logical, but agrees with only some information on the subject.

  Example: “That email address has the same username as the My Documents path when we reverse engineered this malware, but it’s a fairly common name.”

• Doubtful (30–49): The assessment is possible, but not the most logical deduction. It also cannot be corroborated or refuted by other information on the subject.

  Example: “The scans came from an IP address rented from this VPS provider. We need to dig deeper to see if it’s actually bad.”

• Improbable (2–29): The assessment is possible, but not the most logical deduction. It is also directly refuted by other information on the subject.

  Example: “The file calls back to a host that appears to have been taken down. Perhaps that C2 host has since been rotated.”

• Discredited (1): The assessment is confirmed to be inaccurate.

  Example: “That’s not malware; that’s just a poorly written PowerPoint® presentation.”

• Unassessed (0): No Confidence Rating has been assigned to the Indicator.

Automated Confidence

As time goes by, your analysis of an Indicator may be less relevant as the Indicator becomes stale. ThreatConnect can deprecate the Confidence Rating for Indicators over time if they are not being updated, allowing you to “age out” Indicators that you saw years ago. This automation can be helpful when working with Indicators that may have been assigned a high Threat Rating at one point, but your confidence in that assessment has decreased over time.

You can configure the rate of confidence deprecation within each Organization, Community, or Source, as well as at the System level. As time passes and an Indicator goes untouched, its Confidence Rating will decrease by the configured amount. You can also configure certain actions to occur when the Confidence Rating for an Indicator reaches 0, such as setting its Indicator Status to inactive or deleting it.

Factors to Consider When Setting Confidence Ratings

When setting an Indicator’s Confidence Rating, consider the following factors:

• Has the Threat Rating assessment for the Indicator been confirmed by independent sources or firsthand analysis?
• Is the Threat Rating assessment for the Indicator plausible and logical? Taken by itself, does it make sense?
• Is the Threat Rating assessment for the Indicator corroborated by or consistent with other available information?

Table 2 illustrates how the Confidence Rating scale described in the “Understanding Confidence Rating” section incorporates these factors.

Putting It All Together

Threat Ratings and Confidence Ratings are great measures for two separate dimensions of an Indicator’s relevance. An adversary that aggressively rotates C2 infrastructure may result in a slew of Indicators with a Threat Rating of 5 skulls and Confidence Rating of 0, whereas a novice hacker launching attacks from his attributable hacker domain may result in a handful of Indicators with a Threat Rating of 2 skulls and Confidence Rating of 100.

By implementing the best practices outlined in this article, you can leverage the analysis modeled in each Indicator’s respective ratings to drive your organization’s decision-making process. For instance, you can write a TC Exchange™ application to extract all Indicators with a Threat Rating of 5 skulls and Confidence Rating of 70 or greater to initiate scans within your network. Alternatively, you could leverage an existing TC Exchange application written in conjunction with one of our partners to automatically block or alert on Indicators that meet such parameters.

Standardizing the meaning of Threat and Confidence Ratings allows you to take action within the scope of your organization or contribute to the greater community. You worked hard to find and triage all those Indicators; now make them work for you!

ThreatConnect^® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc.
PowerPoint^® is a registered trademark of Microsoft Corporation.

20150-01 v.01.A