Threat Score
The Context-Aware Sharing Module receives composed IocC coming from the Composed IoC Module, which, in turn, fetch and process information from various sources (e.g., OSINT), to be used in the threat score analysis performed by the heuristics engine. This latter considers a set of conditions that are evaluated for every single feature. A score (either positive or negative) is assigned to every feature (i.e., individual score). The sum of all individual scores results into the Threat Score associated to the data being analyzed.
​
The proposed threat score function is defined as the sum of all individual heuristic values (Xi) times its corresponding weight factor (Pi). This latter considers multiple criteria (relevance, accuracy, timeliness, variety). The sum is then affected to the completeness parameter (Cp), as shown in the Equation.
​
The first part of the Threat Score function refers to the value assigned to a given heuristic based on the type of information processed during the evaluation.
​
The section proceed with the list of individual scores (from 0 to 5) assigned to each heuristics (both in MISP and STIX format), and, finally, some simple cases of threat score evaluation will be shown, considering the samples listed in the "IoCs" section.
MISP Heuristic Features and Scores
MISP Heuristic Features and Scores
When composes IoCs are received in MISP JSON format, the set of Heuristic Features is composed by MISP categories and the associated MISP attributes. First of all, the categories, and their associated score, given by expert knowledge considering the peculiarities of the monitored infrastructure, is the following:
-
Internal Reference: 2
-
Targeting data: 2
-
Antivirus Detection: 2
-
Payload Delivery: 4
-
Artifact Dropped: 4,
-
Payload Installation: 4
-
Persistence Mechanism: 2
-
Network Activity: 5
-
Payload Type: 3
-
Attribution: 3
-
External Analysis: 4
-
Financial Fraud: 2
-
Support Tool: 2
-
Social Network: 2
-
Person: 2
-
Other: 2
Each MISP category can be detailed through a fixed set of MISP attributes, which have been also considered as heuristics.
-
vulnerability: 5
-
md5: 4
-
sha1: 1
-
sha256: 3
-
filename: 5
-
filename|md5: 2
-
filename|sha1: 2
-
filename|sha256: 2
-
ip-src: 5
-
ip-dst: 5
-
hostname: 4
-
domain: 5
-
domain|ip: 4
-
email-src: 3
-
email-dst: 1
-
email-subject: 2
-
email-body: 2
-
email-attachment: 2
-
url: 4
-
link: 4
-
regkey: 1
-
regkey|value: 1
-
malware-sample: 5
-
malware-type : 5
-
mutex: 1
-
uri: 4
-
sha224: 1
-
sha384: 1
-
sha512: 1
-
sha512/224: 1
-
sha512/256: 1
-
tlsh': 1
-
filename|sha224: 1
-
filename|sha384: 1
-
filename|sha512: 1
-
filename|sha512/224: 1
-
filename|sha512/256: 1
-
port: 5
-
ip-dst|port: 5
-
ip-src|port: 5
-
hostname|port: 5
-
email-reply-to: 2
-
attachment: 2
-
mac-address: 1
-
AS: 1
-
email-dst-display-name: 2
-
email-src-display-name: 2
-
stix2-pattern: 4
-
snort: 3
-
yara: 2
The categories/attributes that have a higher score, will have a higher impact in the threat score evaluation.
​
Regarding the completeness parameter, an incoming MISP composed IoC is considered fully complete, if all the most relevant nine MISP attributes are present, that is: vulnerability, filename, ip-src, ip-dst, hostname, domain, url, link, and md5.
STIX 2.0 Heuristic Features and Scores
When composes IoCs are received in STIX 2.0 format, the set of Heuristic Features is composed by the overall set of attributes, plus some custom one, of each STIX 2.0 Domain Objects (SDOs) that have been marked as most relevant from the point of view of the monitored infrastructure (Malware, Vulnerability, Attack Pattern, Indicator, Tool, Identity). The set of attributes have been always chosen by expert knowledge, and they are listed below:
-
Malware
-
labels
-
category
-
sourceDiversity
-
status
-
operating_system
-
modified
-
created
-
external_references
-
kill_chain_phase
-
valid_from
-
valid_until
-
-
Vulnerability
-
labels
-
sourceDiversity
-
application
-
operating_system
-
modified
-
create
-
external_references
-
vulnerable_app_in_alarm
-
valid_from
-
valid_until
-
-
Attack Pattern
-
labels
-
sourceDiversity
-
detection_tool
-
kill_chain_phase
-
modified
-
created
-
external_references
-
attack_type
-
valid_from
-
valid_until
-
-
Indicator
-
labels
-
sourceDiversity
-
indicator_type
-
kill_chain_phase
-
modified
-
created
-
external_references
-
pattern
-
valid_from
-
valid_until
-
-
Tool
-
labels
-
sourceDiversity
-
tool_type
-
kill_chain_phase
-
modified
-
created
-
external_references
-
name
-
valid_from
-
valid_until
-
-
Identity
-
labels
-
identity_class
-
source_type
-
modified
-
created
-
OSINT_source
-
name
-
sectors
-
country
-
Up to now, the Heuristic Process with STIX 2.0 as chosen standard is still under development. Indeed the list of score has not already been defined, However, we decided on providing some details more, regarding five specific cases (malware, vulnerability, DDoS attack, behavioral scanning from remote IP address and remote code execution), for explaining better the threat score concept with some practical examples. These example will be shown in next section.
​
Regarding the completeness parameter, an incoming STIX 2.0 composed IoC is considered fully complete, if all the needed attributes, for the most relevant STIX 2.0 SDOs are present. This is an initial set of Heuristic Features; in the future this set will be extended both with custom attributes and SDOs, depending on the context where the heuristic process is applied, which may require a more complete analysis.
Threat Score Calculation
1. Malware Detected
TS = 2.3305
2. Vulnerability Detected
TS = 2.6453
3. Distributed Denial of Service (DDoS) Attack
TS = 2.6097
4. Behavioural Scanning from IP address
TS = 1.6316
5. Remote Code Execution
TS = 2.7406