Version
Cb Defense (formerly Confer) - All
Topic
This document provides information that can be used to explain what are the different severity and malware types, how threat level is determined, and what’s a threat value.
Q/A
Question 1
What is a threat severity?
Answer
All threats detected by our product are grouped based on severity, which must be considered by the administrator in addition to Threat Level in order to get the full picture. The 2 severities are:
Respond = high level of confidence that it’s a real threat
Evaluate = interesting for administrator to review, may pose a risk to organization
Question 2
What is a threat level?
Answer
Threat Level, sometimes also referred to as Threat Score or Threat Priority, prioritizes the relative importance of a threat and is loosely mapped to the stages of the Kill Chain concept, which describes various stages of an attack (see more at https://en.wikipedia.org/wiki/Kill_chain). In general, the higher the score, the further along the Kill Chain an attack has progressed toward achieving its goal. It’s important to note that the goal itself has to be something bad for a threat to receive high score. For example, if malware’s goal is simply to persist, that will not result in a high score. On the other hand, if the goal is to encrypt user data, steal passwords, damage system files, etc., higher score will be produced.
For threats in Respond severity, here are some examples of the types of things that correspond with different Threat Levels:
Level 1 and 2 threats fire off on things like port scans, malware drops, changes to system configuration files, persistence, etc.
Level 3, 4 and 5 threats catch things like malware running, generic virus-like behavior, monitoring user input, potential memory scraping or password theft, etc.
Level 6 and above threats are typically an active exploit, reverse command shells, process hollowing, destructive malware, hidden processes and toolsets, applications that talk on the network that should not, etc.
Question 3
What is a target value?
Answer
Target Value, which is defined by the Policy group a device belongs to, acts as a multiplier when calculating Threat Level for any threats detected on a particular device. Normal Target Value is the baseline (no multiplier). Low Target Value will result in lower Threat Level while High and Critical Target Values will increase Threat Level under same circumstances. That’s why sometimes you may see two or more threats with identical description, but different Threat Level.
Question 4
When should I set an alert email based on threat information?
Answer
Alerts based on Threat Score can be sent to administrator via email. We recommend that you start at Level 3 with both Respond and Evaluate categories selected. If that causes too much “noise” you may exclude Evaluate category and also gradually increase threshold to a higher Threat Level until you achieve the right balance between volume and informativeness of alerts. If you wish to capture more data without getting overwhelmed by too many alerts, you may set up an Alert based on specific TTPs (Tactics, Techniques & Procedures) and route the output to a SIEM system via a connector.
Question 5
How are the severity and threat level determined?
Answer
The exact methodology used to determine Threat Level and Category is part of the cloud-based Analytics Engine, which is at the heart of our product technology, and therefore proprietary.
Question 6
What are the different types of malware defined with the product?
Answer
Known Malware – High confidence detection. High Priority.
Suspect Malware – No known positive reputation associated with hash but flagged by a Confer trusted engine as sharing structure or heuristic.
PUP – Potentially Unwanted Program, e.g., adware, toolbars, bloatware and duel use tools.
