Monitoring Threats
Cloud Guard can detect patterns of activity that indicate possible malicious attempts to gain access to resources in your environment and use them for corrupt purposes.
About Threat Detector
Understand the concepts and terminology you need to work with Cloud Guard's Threat Detectior component.
The Threat Detector component in Cloud Guard collects and processes information on potential threats as follows:
- Information is collected from Cloud Guard targets.
- Threat Detector gets information on potential threats from Threat Intelligence Service. These are indicators of compromise, such as IP addresses and domains, that are associated with known malware command and control servers.
- That information is run through models that are aligned with the MITRE ATT&CK Framework to categorize the potential tactics and techniques involved.
- Those models produce "sightings" - individual instances of potential malicious behavior - which are scored to assess the seriousness of the consequences if the attack is real and the likelihood that the attack is real.
- Then the sightings are collated into a resource profile.
- The resource profile is scored to assess the risk described by the sequence of sightings.
- A risk level is assigned, based on the highest risk score of the last 14 days.
- If the risk level becomes critical, a problem is generated.
The Threat Monitoring and Threat Monitoring Details pages display information for each resource profile listed. To interpret the information displayed, become familiar with the following key concepts and terminology.
High-Level Threat Monitoring Concepts
These concepts are basic to understanding threat monitoring in Cloud Guard, especially when working with the Threat Monitoring and Threat Monitoring Details pages.
- Sighting - a specific instance of potential malicious behavior that Cloud Guard has detected. Individual sightings are correlated across time and across regions. The collection of related sightings is assessed on the likelihood that it represents an attack and on how serious the such an attack would be.
- Sighting Type - Cloud Guard detects several different sighting types. See Sighting Type Reference.
- Correlation: Cloud Guard collects raw data in each region. Cloud Guard then correlates related sightings across regions and calculates a normalized score for the related sightings. If the normalized risk score exceeds a threshold, Cloud Guard then triggers a problem and assigns a severity level and a confidence level to the problem.
- Confidence: A confidence level represents an estimate of the
probability that a sighting really does represent an actual attacker. Cloud Guard uses the
same categories for both Severity and Confidence levels in the resulting
Sighting details:
The combination of factors that Cloud Guard uses to determine confidence level is different for different sighting types. See "Severity" and "Confidence" sections for each sighting type in Sighting Type Reference.
- Severity: A confidence level represents an estimate of the
probability that a sighting really does represent an actual attacker. A severity level
represents the potential threat level posed by a sighting - how serious the sighting might
be, assuming it represents an actual attacker. Cloud Guard displays the following
categories for both Severity and Confidence levels in the resulting
Sighting details:
The combination of factors that Cloud Guard uses to determine severity level is different for different sighting types. See "Severity" and "Confidence" sections for each sighting type in Sighting Type Reference.
- Sighting Score - combines Severity and Confidence assessments,
along with other factors, to derive a numeric estimate of the seriousness of the threat.
The Sighting Score is different from the Risk Score associated with problems.
- Risk Score: Cloud Guard collects raw data in each region and calculates a raw risk score for related sightings. Cloud Guard then correlates related sightings across regions and calculates a normalized score for the related sightings. If the normalized risk score exceeds a threshold, Cloud Guard then triggers a problem and assigns a severity level and a confidence level to the problem.
- Risk Level - is based on the 14-day Peak Risk Score.
(Critical, High,
Medium, Low,
Minor). Risk Level rises immediately when a high risk score is
registered. If no further high Risk Scores are registered, Risk Level then declines
slowly, because that high Risk Score takes 14 days to drop out of the Risk Level
calculation.
For definitions of these risk levels, see Processing Problems from the Problems Snapshot.
- Tactic - from the perspective of the MITRE ATT&CK Framework, the sighting would be classified as an instance of this MITRE tactic. For example, Privilege Escalation or Credential Access.
- Technique - from the perspective of the MITRE ATT&CK Framework, the sighting would be classified as an instance of this MITRE technique or subtechnique. For example, Password Guessing or Exfiltration to Cloud Storage.
- Resource Profile - the collection of information that Cloud Guard has observed for specific resources that might be under attack, as indicated by the Risk Score derived from the correlated sightings. This information includes sightings, scores, and resource IDs. As Cloud Guard monitors targets, it creates profiles for the resources it observes, and creates sightings as malicious behaviors are detected. Currently, the resource profile is always focused on a user.
Parameters Reported for Sightings
The following parameters are also monitored. Some of these parameters appear on only the Threat Monitoring page or the Threat Monitoring Details page.
- Resource, Resource ID, Resource Name - an identifier for the resource targeted in the sighting.
- Compartment - the OCI compartment where the resource is located.
- Target - the Cloud Guard target containing the OCI compartment.
- Regions - the region or regions in which the sighting was detected.
- First Detected - the date and time at which the sighting was first detected.
- Last Detected - the date and time at which the sighting was last detected.
- Peak Risk Score - the highest risk score for a particular risk profile.
- Peak Date - the date of the highest risk score for a particular risk profile.
- Endpoint ASN - the Autonomous System Number associated with the endpoint IP address identified in a sighting.
- Endpoint Service - the particular services used from the endpoint identified in a sighting.
- Endpoint Type - if the IP address is known to the OCI Threat Intel service, it's declared "suspicious" and the IP address becomes a link to the information in that service.
Viewing Threat Information
From the Threat Monitoring page, you can see resource profiles and their key attributes to quickly identify the highest priority events.
Prerequisite: Enable the OCI Threat Detector recipe in at least one Cloud Guard target that's:
- Defined in your environment, and...
- Contains the root compartment.
When you create a target, Cloud Guard requires an Activity Detector Recipe and a Configuration Detector Recipe to be attached. If you don't want to enable those detectors on the target, you can remove them after you finish creating the target. See Modifying an OCI Target.
See Creating an OCI Target. To add the OCI Threat Detector recipe after you finish creating the target, see Modifying an OCI Target.
After the preceding prerequisites are met, Cloud Guard begins a learning period. This learning period varies in length from a few hours to a few days, depending on the sighting type. Cloud Guard doesn't actually start monitoring to detect threats until after the learning period is past. If no suspicious activity is occurring, you still see no threat information on the Threat Monitoring page.