CTIX Confidence Score Engine
CTIX scores all the indicators by assigning them a number called the CTIX confidence score. The CTIX confidence score is a value between 0 and 100 assigned automatically to threat indicators and represents the confidence that the scoring engine has in that indicator being malicious. A confidence score of 100 suggests that the indicator is highly malicious while a score of 0 suggests it is safe.
Feature availability matrix
CTIX Enterprise | CTIX Lite | CTIX Spoke |
---|---|---|
Yes | Yes | Yes |
Confidence Score Parameters
The confidence score is calculated by a weighted average combination of the four parameters namely Source Sightings, Relations, Enrichment Policy, and Source Confidence.
An individual score is calculated for each parameter and the overall confidence score is the combined weighted sum of these four scores. The weightage of every score depends on the significance of the parameter and the availability of data.
Source Sightings Score Calculation
Source sightings indicate the unique number of times the indicators are seen in the platform and from different threat feed providers. If the indicator is seen more often, this score is higher. If the indicator is seen less often, this score is lower.
Source Sightings Score
Source sightings score is a number between 10-75 based on the number of unique sightings.
For example, if multiple sources report a particular indicator, then its source sightings score may be as high as 75 indicating a higher probability of it being malicious.
Relations Score Calculation
Relations in CTIX represent the STIX relationships between objects, linking multiple indicators and describing their interconnections. These relationships play a vital role in assessing the malicious nature of the indicators, and CTIX employs a relation score to facilitate this determination.
Relations Score
The Relations Score is calculated by considering the diverse relations that an indicator can have with other threat data objects, such as malware, campaign, threat actor, vulnerability, and others. The score varies depending on the specific relation. Additionally, when an indicator is associated with a report object, the calculation of the relation score also considers the secondary relation between the indicator and the objects within the report. This scoring system aids in effectively determining the significance of the relationships and their potential impact on the platform's threat intelligence analysis.
For example, if an analyst evaluates two indicators associated with malware and a campaign, and assigns a higher analyst score to the malware-related indicator compared to the campaign-related one, the platform incorporates this analyst assessment. Consequently, when the platform computes the relations score for these indicators, it assigns a higher score to the malware-related indicator, reflecting the analyst's prioritization based on their investigations.
This scoring system assists in evaluating the significance and potential impact of the relationships between indicators and other threat data objects in the platform.
Enrichment Policy Score Calculation
CTIX enriches the threat data by removing false positives, deduplication, and adding contextual information. CTIX integrates with many third-party enrichment tools that provide invaluable data to enrich these indicators. This is a configurable parameter. You can configure an enrichment policy and define what you want to enrich using which tools. This data is then used to enhance the scoring system to provide an effective confidence score. The enrichment policy is configured for IP, URL, hash, and domain.
For information about configuring an enrichment policy, see Configure Enrichment Policy.
Enrichment Policy Score
The enrichment policy score is calculated based on the data received from the enrichment feed sources and a normalized value is assigned.
An indicator that is enriched within 'x' number of days will not be re-enriched. You can configure 'x' from Administration > Configuration > Enrich a previously enriched IOC again after and has a default value of seven days. Use this option to conserve the quota of your enrichment tools and prevent immediate duplicate enrichment.
For IP, Domain, Hash, and URL, the time range that the enrichment values received affects the normalized score. If the value is received in 1-2 months, the enrichment is the latest, hence the score is higher. If the received enrichment feeds are older, the score is lower.
Time Period for Feeds | Change in Score |
---|---|
If the feeds are received in less than 1 month | The score increases by 25 |
if the feeds are received in 1-2 months | The score increases by 20 |
If the feeds are received in 2-3 months | The score increases by 15 |
If the feeds are received in 3-5 months | The score increases by 10 |
If the feeds are received in 5-6 months | The score increases by 5 |
For IP, domain, and URL, the score is decreased if the feeds are older than 6 months. The older the feeds, the more relevance reduces and the score is further reduced.
Time Period for Feeds | Change in Score |
---|---|
If the feeds received are older than 6-8 months | The score reduces by 5 |
If the feeds received older than 8-10 months | The score reduces by 10 |
If the feeds received are older than 10-12 months | The score reduces by 25 |
If the feeds received are older than 12+ months | The score reduces by 50 |
Source Confidence Score Calculation
CTIX receives threat feeds from many sources. These sources can be APIs, RSS feeds, STIX sources, email, and more. The trustworthiness of these sources is an important factor to determine the confidence level of the indicators. This is a configurable parameter. Using the new Confidence Score Engine, you can specify a value to indicate the trustworthiness of all your threat feed collection sources. This value is ultimately used to calculate the confidence score.
Source Confidence Score
The weighted source confidence is calculated based on the source weightage that you provide for all your feed sources. See Configure Source Scoring.
This source weightage is then multiplied with a normalized value that CTIX determines using standard business high and business low average values for all feed providers to arrive at a Source Confidence Score.
Overall CTIX Confidence Score Calculation
The system uses a weighted average of the four calculated scores namely the relations score, enrichment policy score, source confidence score, and source sightings score to come up with a CTIXConfidence Score.
Relations | Source Confidence | Enrichment | Source Sightings | Confidence Score |
---|---|---|---|---|
Does not exist | Does not exist | Does not exist | Exists | Source Sightings Score |
Does not exist | Exists | Does not exist | Exists | Source Confidence Score |
Exists | Does not exist | Does not exist | Exists | Relations Score |
Exists | Exists | Does not exist | Exists | Relations Score (0-75) + 25 % of Source Confidence Score |
Does not exist | Does not exist | Exists | Does not exist | Enrichment Policy Score |
Exists | Exists | Exists | Exists | First preference when enrichment policy score is available = Enrichment Policy Score (0-75) + Relations Score (25) / 3 Second preference when enrichment policy score is not available = Relations Score (75) + (25% of Source Confidence Score) |
Exists | Does not exist | Exists | Exists | Scenario 1 First preference when enrichment indicates malicious = Enrichment Policy Score + Increasing Factor Second preference if relations exist - 25 (Relation Score/3) Scenario 2 First preference when enrichment indicates non-malicious - Score is 0 Second preference when relations score exists - Score is 75 |
Does not exist | Exists | Exists | Exists | Enrichment Policy Score (75) + 25 % of Source Confidence Score |
Exceptions and Considerations
The following factors affect the confidence score calculation:
Confidence score is not calculated for indicators in allowed lists. They are safe and hence have a confidence score of 0.
Confidence score is not calculated for deprecated indicators and they have a confidence score of 0.
Confidence score may be shown as 0 for some time and it will be updated as soon as the system finishes its confidence score calculation.
Confidence score is calculated twice.
Before enrichment: First time the score is calculated using the source sightings score, relations score, and source confidence score.
After enrichment: The confidence score is updated using the enrichment policy score. The enrichment policy score is dependent on external tools integrated with CTIX and it may take some time to calculate this score.
The daily quota defined for enrichment tools in CTIX is reset at 12 AM as per your CTIX local server time zone.
The enrichment tools enrich an indicator only once even if they are associated with multiple enrichment policies.
If a source confidence value is received from multiple feed sources for the same indicator, then the highest one is picked if the duration is within 30 days. If any of the reported source confidence scores are not within the 30 day range, then the latest source-reported confidence score value is picked to calculate the confidence score.
For sources such as RSS feeds that do not give out a source confidence score, the data from relations, sightings, or the enrichment policy is used to calculate the confidence score.
Indicator Scoring Range
The indicators are classified into the range of maliciousness based on the following scoring system.
Confidence Score Range | Classification |
---|---|
0-29 | Low |
30-69 | Medium |
70-100 | High |