Automatic Scoring of Ingested Threat Indicators
Category: Cyware Product
Cyware Products Used:
Cyware Threat Intelligence eXchange (CTIX)
Problem Statement
Organizations continue to integrate threat intelligence feeds into their security architecture to accurately pinpoint threats to specific systems and help in focusing more on improved threat detection capabilities and informed responses to security incidents. However, ingesting large volumes of threat intelligence feeds creates a unique set of challenges.
Overwhelming Alerts Volume: As organizations consume threat intel feeds from numerous sources, security teams are overwhelmed with the volume of threat feeds. Since many of these alerts may not be relevant, analysts face the challenge of missing out on critical alerts.
Increased Response Times: The time between the initial attack and the initial compromise is very less. Hence, analysts must triage and respond to threats quickly.
False positives: Irrelevant false positive alerts provided by threat intelligence sources may lead security teams to conclude with a wrong decision for the threat.
Solution
Today’s analysts and threat intelligence teams will require a solution that is smarter, and faster in analyzing and triaging threat indicators. CTIX confidence scoring engine helps analysts to filter out irrelevant data and automatically prioritize critical threat indicators. The confidence scoring engine provides an entire knowledge plot of indicators with their measured confidence score.
The confidence scoring engine is designed to support the following operations of the threat intelligence teams.
Continuous collection of threat indicators from internal and external sources
Reusing existing intelligence from STIX objects and third-party tools
Automatic confidence score calculation
What is a confidence score?
The confidence score is a value between 0 and 100 assigned automatically to threat indicators to represent the confidence the scoring engine has in an indicator being malicious. 100 confidence suggests that the scoring engine is extremely confident about the malicious behavior of the indicator.
How to configure the confidence score engine?
The configuration for the confidence score engine is pre-configured in CTIX. CTIX uses a weighted average of the four calculated scores namely the relations score, enrichment policy score, source confidence score, and source sightings score to assign confidence scores for indicators. To know more about the confidence scoring parameters, see the documentation.
To understand how CTIX calculates a confidence score for indicators, see the confidence scoring algorithm.
You can also assign custom confidence for your threat intel sources. To configure source scoring, see the documentation.
Benefits
Automated Threat Actioning
CTIX enables security teams to automate actions based on confidence scores. Security teams can build rules to automate proactive threat mitigation tasks such as blocking IP in firewalls/SIEM tools based on confidence scores.
Example Use Case: Block High Confidence Score Indicators
Faster Threat Investigations
Confidence scores allow security analysts to generate finished intel reports by including tags TLP, MITRE ATT&CK mapping, and investigations. These reports can be employed to create contextualized and useful intel, helping analysts to expedite their threat investigations.
Contextual Threat Information Sharing
With confidence scores in hand, security analysts can create and share threat bulletins with their subscribers, members, or other organizations, equipping them with the right threat data for investigations.