Current ThreatQ Version Filter
 

Scoring Algorithms

THREATQ REQUIRED PERMISSIONS

Default ThreatQ Role: Administrative, Maintenance, or Primary Contributor
Custom Role - Action Permissions: Data Controls - Edit Scoring, See the Interdependent Permissions topic.

ThreatQ’s scoring algorithms calculate and assign scores to indicators as they are added to the system. By configuring scoring, you can filter through the millions of Indicators that may have been collected to focus on the percentage that applies to your organization. Scoring allows you to prioritize key indicators while still retaining all other indicators and context for threat research.

ThreatQ’s Overview dashboard contains the Overview of Intelligence by Score which shows the current distribution of indicator scores. You can also filter Threat Library searches by score and create data collections based on scoring.

Accessing the Scoring Sensitivity Page

From the navigation menu, click Threat Library and select Scoring under the Data Controls heading. The Data Controls page opens with the Scoring tab and Indicator Type sub-tab selected.
Scoring Slider

Scoring Criteria 

ThreatQ's scoring algorithm allows you to influence indicator scores by:

  • Indicator Type
  • Indicator Source
  • Attributes
  • Adversary Relationship

Customizing scoring based on these criteria updates the score assigned to the associated indicators.

Scoring Tips and Tricks

  • The Calculate Impact option identifies how many system objects are affected by a score change.
  • Scoring configuration and updates take time to process, the Threat Library does not reflect these changes immediately.
  • If you use an indicator’s object details page to manually update its score, the manually selected score overrides any changes to the calculated score caused by updates to the scoring algorithm.
  • You have the option to adjust the score sensitivity of indicators. Indicator scores range from 10, which creates a score of Very High, to -10, Very Low. A higher indicator score creates increased priority for that indicator.

  • By default, indicators are set to a neutral score of 0.

Configuring Your Scoring Algorithm for Indicator Types and Sources

Scoring by indicator type allows you to prioritize indicators based on their usefulness to your organization.  If your organization cannot process or does not want to use a specific indicator type, such as Fuzzy Hash, you can assign a lower score, such as -3, to the indicator type.

Scoring by indicator source allows you to prioritize indicators based on your confidence in the source of the data.  For example, you may have higher confidence in the value of data from paid feeds and would therefore want to assign a higher score, such as a 3, to indicators from these sources.

  1. Select the indicator type or source by filtering by source name or by scrolling to the desired indicator.
  2. Use one of the following methods to adjust scoring:
    • Click and drag the slider to adjust the score.
    • Click the up/down arrow next to the current score to increase/decrease the score.
  3. To save your changes, click the Apply button.

Configuring Your Scoring Algorithm for Attributes

The Attributes tab allows you to specify scoring by attribute key and value.  You can use attribute scoring to prioritize indicators based on attributes provided by a vendor and/or customer attributes applied by internal users. 

If your organization applies a Department attribute (attribute key) to indicators based on the team targeted by the threat (attribute value), for instance Department - Tech Pubs, you can apply higher scores to indicators with attributes associated with high value targets such as Department - Finance.

  1. From the Attributes tab, click the Add button.
  2. Use one of the following methods to specify an attribute key:
    • Click the arrow in the Key field to select an attribute type from the dropdown list.
    • Type the attribute key in the Key field.
  3. Use one of the following methods to populate the Value field:
    • Enter the attribute value to which the score applies.
    • Enter an attribute value that contains the wildcard character (*). The wildcard specifies that any characters can appear in multiple positions represented by the wildcard.
  4. Use one of the following methods to adjust the score:
    • Click and drag the slider to adjust the score.
    • Click the up/down arrow next to the current score to increase/decrease the score.
  5. Click the Add button to continue adding attribute scoring criteria.
  6. Click the Apply button to save your attribute scoring.
    The Attributes tab now lists your scoring entry in the following format:
    <Key> is <Value>

Configuring Your Scoring Algorithm for Adversary Relationships

The Adversary Relationship tab allows you to configure the scoring of indicators associated with specific adversaries.  You can use this scoring to prioritize indicators associated with adversaries that tend target your industry in general and/or your organization specifically.

Adversary relationship scoring supports a wildcard option, Any Adversary, that allows you to specify a score for any indicator with a positive attribution.

  1. From the Adversary Relationship tab, click the Add button.
  2. Click the arrow in the Select Adversary field to select an adversary from the dropdown list.  You can use the scroll bar or Search field to locate the adversary.

    Select the Any Adversary option to prioritize any indicator with a positive attribution.

  3. Use one of the following methods to adjust the score:
    • Click and drag the slider to adjust the score.
    • Click the up/down arrow next to the current score to increase/decrease the score.
  4. Click the Add button to continue adding adversary relationship scoring.
  5. Click the Apply button to save your scoring.

Updating Your Scoring Algorithms

After you set up your initial scoring, you can update assigned scores to reflect changes in your threat environment and priorities.  Periodic reviews and updates to your scoring algorithms ensure they reflect:

  • Changes to your risk profile based on political or organization changes.
  • New adversaries
  • New adversary tactics
  • New tool sets
  1. Click the appropriate tab (Indicator Type, Indicator Source, Attributes, Adversary Relationship). 
  2. Use one of the following methods to adjust the score:
    • Click and drag the slider to adjust the score.
    • Click the up/down arrow next to the current score to increase/decrease the score.
  3. Click the Apply button to save your update.