Oracle Cloud Infrastructure Documentation

About Threat Detector

Understand the concepts and terminology you need to work with Cloud Guard's Threat Detector component.

The Threat Detector component in Cloud Guard collects and processes information on potential threats as follows:

  1. Information is collected from Cloud Guard targets.
  2. Threat Detector gets information on potential threats from Threat Intelligence Service. These are indicators of compromise, such as IP addresses and domains, that are associated with known malware command and control servers.
  3. That information is run through models that are aligned with the MITRE ATT&CK Framework to categorize the potential tactics and techniques involved.
  4. Those models produce "sightings" - individual instances of potential malicious behavior - which are scored to assess the seriousness of the consequences if the attack is real and the likelihood that the attack is real.
  5. Then the sightings are collated into a resource profile.
  6. The resource profile is scored to assess the risk described by the sequence of sightings.
  7. A risk level is assigned, based on the highest risk score of the last 14 days.
  8. If the risk level becomes critical, a problem is generated.

The Threat Monitoring and Threat Monitoring Details pages display information for each resource profile listed. To interpret the information displayed, become familiar with the following key concepts and terminology.

High-Level Threat Monitoring Concepts

These concepts are basic to understanding threat monitoring in Cloud Guard, especially when working with the Threat Monitoring and Threat Monitoring Details pages.

  • Sighting - a specific instance of potential malicious behavior that Cloud Guard has detected. Individual sightings are correlated across time and across regions. The collection of related sightings is assessed on the likelihood that it represents an attack and on how serious the such an attack would be.
  • Sighting Type - Cloud Guard detects several different sighting types. See Sighting Type Reference.
  • Correlation: Cloud Guard collects raw data in each region. Cloud Guard then correlates related sightings across regions and calculates a normalized score for the related sightings. If the normalized risk score exceeds a threshold, Cloud Guard then triggers a problem and assigns a severity level and a confidence level to the problem.
  • Confidence: A confidence level represents an estimate of the probability that a sighting really does represent an actual attacker. Cloud Guard uses the same categories for both Severity and Confidence levels in the resulting Sighting details:

    The combination of factors that Cloud Guard uses to determine confidence level is different for different sighting types. See "Severity" and "Confidence" sections for each sighting type in Sighting Type Reference.

  • Severity: A confidence level represents an estimate of the probability that a sighting really does represent an actual attacker. A severity level represents the potential threat level posed by a sighting - how serious the sighting might be, assuming it represents an actual attacker. Cloud Guard displays the following categories for both Severity and Confidence levels in the resulting Sighting details:

    The combination of factors that Cloud Guard uses to determine severity level is different for different sighting types. See "Severity" and "Confidence" sections for each sighting type in Sighting Type Reference.

  • Sighting Score - combines Severity and Confidence assessments, along with other factors, to derive a numeric estimate of the seriousness of the threat.

    The Sighting Score is different from the Risk Score associated with problems.

  • Risk Score: Cloud Guard collects raw data in each region and calculates a raw risk score for related sightings. Cloud Guard then correlates related sightings across regions and calculates a normalized score for the related sightings. If the normalized risk score exceeds a threshold, Cloud Guard then triggers a problem and assigns a severity level and a confidence level to the problem.
  • Risk Level - is based on the 14-day Peak Risk Score. (Critical, High, Medium, Low, Minor). Risk Level rises immediately when a high risk score is registered. If no further high Risk Scores are registered, Risk Level then declines slowly, because that high Risk Score takes 14 days to drop out of the Risk Level calculation.

    For definitions of these risk levels, see Viewing Problems from the Problems Snapshot.

  • Tactic - from the perspective of the MITRE ATT&CK Framework, the sighting would be classified as an instance of this MITRE tactic. For example, Privilege Escalation or Credential Access.
  • Technique - from the perspective of the MITRE ATT&CK Framework, the sighting would be classified as an instance of this MITRE technique or subtechnique. For example, Password Guessing or Exfiltration to Cloud Storage.
  • Resource Profile - the collection of information that Cloud Guard has observed for specific resources that might be under attack, as indicated by the Risk Score derived from the correlated sightings. This information includes sightings, scores, and resource IDs. As Cloud Guard monitors targets, it creates profiles for the resources it observes, and creates sightings as malicious behaviors are detected. Currently, the resource profile is always focused on a user.

Parameters Reported for Sightings

The following parameters are also monitored. Some of these parameters appear on only the Threat Monitoring page or the Threat Monitoring Details page.

  • Resource, Resource ID, Resource Name - an identifier for the resource targeted in the sighting.
  • Compartment - the OCI compartment where the resource is located.
  • Target - the Cloud Guard target containing the OCI compartment.
  • Regions - the region or regions in which the sighting was detected.
  • First Detected - the date and time at which the sighting was first detected.
  • Last Detected - the date and time at which the sighting was last detected.
  • Peak Risk Score - the highest risk score for a particular risk profile.
  • Peak Date - the date of the highest risk score for a particular risk profile.
  • Endpoint ASN - the Autonomous System Number associated with the endpoint IP address identified in a sighting.
  • Endpoint Service - the particular services used from the endpoint identified in a sighting.
  • Endpoint Type - if the IP address is known to the OCI Threat Intel service, it's declared "suspicious" and the IP address becomes a link to the information in that service.