Skip to main content

Cyware Threat Intelligence eXchange

CTIX Confidence Score Engine

CTIX scores all the indicators by assigning them a number called the CTIX confidence score. The CTIX confidence score is a value between 0 and 100 assigned automatically to threat indicators and represents the confidence that the scoring engine has in that indicator being malicious. A confidence score of 100 suggests that the indicator is highly malicious while a score of 0 suggests it is safe.

Feature availability matrix

CTIX Enterprise

CTIX Lite

CTIX Spoke

Yes

Yes

Yes

Confidence Score Parameters

The confidence score is calculated by a weighted average combination of the four parameters namely Source Sightings, Relations, Enrichment Policy, and Source Confidence.

An individual score is calculated for each parameter and the overall confidence score is the combined weighted sum of these four scores. The weightage of every score depends on the significance of the parameter and the availability of data.

Source Sightings Score Calculation

Source sightings indicate the unique number of times the indicators are seen in the platform and from different threat feed providers. If the indicator is seen more often, this score is higher. If the indicator is seen less often, this score is lower.

Source Sightings Score

Source sightings score is a number between 10-75 based on the number of unique sightings.

For example, if multiple sources report a particular indicator, then its source sightings score may be as high as 75 indicating a higher probability of it being malicious.

Relations Score Calculation

Relations in CTIX represent the STIX relationships between objects, linking multiple indicators and describing their interconnections. These relationships play a vital role in assessing the malicious nature of the indicators, and CTIX employs a relation score to facilitate this determination.

Relations Score

The Relations Score is calculated by considering the diverse relations that an indicator can have with other threat data objects, such as malware, campaign, threat actor, vulnerability, and others. The score varies depending on the specific relation. Additionally, when an indicator is associated with a report object, the calculation of the relation score also considers the secondary relation between the indicator and the objects within the report. This scoring system aids in effectively determining the significance of the relationships and their potential impact on the platform's threat intelligence analysis.

For example, if an analyst evaluates two indicators associated with malware and a campaign, and assigns a higher analyst score to the malware-related indicator compared to the campaign-related one, the platform incorporates this analyst assessment. Consequently, when the platform computes the relations score for these indicators, it assigns a higher score to the malware-related indicator, reflecting the analyst's prioritization based on their investigations.

This scoring system assists in evaluating the significance and potential impact of the relationships between indicators and other threat data objects in the platform.

Enrichment Policy Score Calculation

CTIX enriches the threat data by removing false positives, deduplication, and adding contextual information. CTIX integrates with many third-party enrichment tools that provide invaluable data to enrich these indicators. This is a configurable parameter. You can configure an enrichment policy and define what you want to enrich using which tools. This data is then used to enhance the scoring system to provide an effective confidence score. The enrichment policy is configured for IP, URL, hash, and domain.

For information about configuring an enrichment policy, see Configure Enrichment Policy.

Enrichment Policy Score

The enrichment policy score is calculated based on the data received from the enrichment feed sources and a normalized value is assigned.

An indicator that is enriched within 'x' number of days will not be re-enriched. You can configure 'x' from Administration > Configuration > Enrich a previously enriched IOC again after and has a default value of seven days. Use this option to conserve the quota of your enrichment tools and prevent immediate duplicate enrichment.

For IP, Domain, Hash, and URL, the time range that the enrichment values received affects the normalized score. If the value is received in 1-2 months, the enrichment is the latest, hence the score is higher. If the received enrichment feeds are older, the score is lower.

Time Period for Feeds

Change in Score

If the feeds are received in less than 1 month

The score increases by 25

if the feeds are received in 1-2 months

The score increases by 20

If the feeds are received in 2-3 months

The score increases by 15

If the feeds are received in 3-5 months

The score increases by 10

If the feeds are received in 5-6 months

The score increases by 5

For IP, domain, and URL, the score is decreased if the feeds are older than 6 months. The older the feeds, the more relevance reduces and the score is further reduced.

Time Period for Feeds

Change in Score

If the feeds received are older than 6-8 months

The score reduces by 5

If the feeds received older than 8-10 months

The score reduces by 10

If the feeds received are older than 10-12 months

The score reduces by 25

If the feeds received are older than 12+ months

The score reduces by 50

Source Confidence Score Calculation

CTIX receives threat feeds from many sources. These sources can be APIs, RSS feeds, STIX sources, email, and more. The trustworthiness of these sources is an important factor to determine the confidence level of the indicators. This is a configurable parameter. Using the new Confidence Score Engine, you can specify a value to indicate the trustworthiness of all your threat feed collection sources. This value is ultimately used to calculate the confidence score.

Source Confidence Score

The weighted source confidence is calculated based on the source weightage that you provide for all your feed sources. See Configure Source Scoring.

This source weightage is then multiplied with a normalized value that CTIX determines using standard business high and business low average values for all feed providers to arrive at a Source Confidence Score.

Overall CTIX Confidence Score Calculation

The system uses a weighted average of the four calculated scores namely the relations score, enrichment policy score, source confidence score, and source sightings score to come up with a CTIXConfidence Score.

Table 1. Confidence Score Calculation Algorithm

Relations

Source Confidence

Enrichment

Source Sightings

Confidence Score

Does not exist

Does not exist

Does not exist

Exists

Source Sightings Score

Does not exist

Exists

Does not exist

Exists

Source Confidence Score

Exists

Does not exist

Does not exist

Exists

Relations Score

Exists

Exists

Does not exist

Exists

Relations Score (0-75) + 25 % of Source Confidence Score

Does not exist

Does not exist

Exists

Does not exist

Enrichment Policy Score

Exists

Exists

Exists

Exists

First preference when enrichment policy score is available = Enrichment Policy Score (0-75) + Relations Score (25) / 3

Second preference when enrichment policy score is not available = Relations Score (75) + (25% of Source Confidence Score)

Exists

Does not exist

Exists

Exists

Scenario 1

First preference when enrichment indicates malicious = Enrichment Policy Score + Increasing Factor

Second preference if relations exist - 25 (Relation Score/3)

Scenario 2

First preference when enrichment indicates non-malicious - Score is 0

Second preference when relations score exists - Score is 75

Does not exist

Exists

Exists

Exists

Enrichment Policy Score (75) + 25 % of Source Confidence Score



Exceptions and Considerations

The following factors affect the confidence score calculation:

  • Confidence score is not calculated for indicators in allowed lists. They are safe and hence have a confidence score of 0.

  • Confidence score is not calculated for deprecated indicators and they have a confidence score of 0.

  • Confidence score may be shown as 0 for some time and it will be updated as soon as the system finishes its confidence score calculation.

  • Confidence score is calculated twice.

    • Before enrichment: First time the score is calculated using the source sightings score, relations score, and source confidence score.

    • After enrichment: The confidence score is updated using the enrichment policy score. The enrichment policy score is dependent on external tools integrated with CTIX and it may take some time to calculate this score.

  • The daily quota defined for enrichment tools in CTIX is reset at 12 AM as per your CTIX local server time zone.

  • The enrichment tools enrich an indicator only once even if they are associated with multiple enrichment policies.

  • If a source confidence value is received from multiple feed sources for the same indicator, then the highest one is picked if the duration is within 30 days. If any of the reported source confidence scores are not within the 30 day range, then the latest source-reported confidence score value is picked to calculate the confidence score.

  • For sources such as RSS feeds that do not give out a source confidence score, the data from relations, sightings, or the enrichment policy is used to calculate the confidence score.

Indicator Scoring Range

The indicators are classified into the range of maliciousness based on the following scoring system.

Confidence Score Range

Classification

0-29

Low

30-69

Medium

70-100

High