Monitoring Threats

Cloud Guard can detect patterns of activity that indicate possible malicious attempts to gain access to resources in your environment and use them for corrupt purposes.

About Threat Detector

Understand the concepts and terminology you need to work with Cloud Guard's Threat Detectior component.

The Threat Detector component in Cloud Guard collects and processes information on potential threats as follows:

  1. Information is collected from Cloud Guard targets.
  2. Threat Detector gets information on potential threats from Threat Intelligence Service. These are indicators of compromise, such as IP addresses and domains, that are associated with known malware command and control servers.
  3. That information is run through models that are aligned with the MITRE ATT&CK Framework to categorize the potential tactics and techniques involved.
  4. Those models produce "sightings" - individual instances of potential malicious behavior - which are scored to assess the seriousness of the consequences if the attack is real and the likelihood that the attack is real.
  5. Then the sightings are collated into a resource profile.
  6. The resource profile is scored to assess the risk described by the sequence of sightings.
  7. A risk level is assigned, based on the highest risk score of the last 14 days.
  8. If the risk level becomes critical, a problem is generated.

The Threat Monitoring and Threat Monitoring Details pages display information for each resource profile listed. To interpret the information displayed, become familiar with the following key concepts and terminology.

High-Level Threat Monitoring Concepts

These concepts are basic to understanding threat monitoring in Cloud Guard, especially when working with the Threat Monitoring and Threat Monitoring Details pages.

  • Sighting - a specific instance of potential malicious behavior that Cloud Guard has detected. Individual sightings are correlated across time and across regions. The collection of related sightings is assessed on the likelihood that it represents an attack and on how serious the such an attack would be.
  • Sighting Type - Cloud Guard detects several different sighting types. See Sighting Type Reference.
  • Correlation: Cloud Guard collects raw data in each region. Cloud Guard then correlates related sightings across regions and calculates a normalized score for the related sightings. If the normalized risk score exceeds a threshold, Cloud Guard then triggers a problem and assigns a severity level and a confidence level to the problem.
  • Confidence: A confidence level represents an estimate of the probability that a sighting really does represent an actual attacker. Cloud Guard uses the same categories for both Severity and Confidence levels in the resulting Sighting details:

    The combination of factors that Cloud Guard uses to determine confidence level is different for different sighting types. See "Severity" and "Confidence" sections for each sighting type in Sighting Type Reference.

  • Severity: A confidence level represents an estimate of the probability that a sighting really does represent an actual attacker. A severity level represents the potential threat level posed by a sighting - how serious the sighting might be, assuming it represents an actual attacker. Cloud Guard displays the following categories for both Severity and Confidence levels in the resulting Sighting details:

    The combination of factors that Cloud Guard uses to determine severity level is different for different sighting types. See "Severity" and "Confidence" sections for each sighting type in Sighting Type Reference.

  • Sighting Score - combines Severity and Confidence assessments, along with other factors, to derive a numeric estimate of the seriousness of the threat.

    The Sighting Score is different from the Risk Score associated with problems.

  • Risk Score: Cloud Guard collects raw data in each region and calculates a raw risk score for related sightings. Cloud Guard then correlates related sightings across regions and calculates a normalized score for the related sightings. If the normalized risk score exceeds a threshold, Cloud Guard then triggers a problem and assigns a severity level and a confidence level to the problem.
  • Risk Level - is based on the 14-day Peak Risk Score. (Critical, High, Medium, Low, Minor). Risk Level rises immediately when a high risk score is registered. If no further high Risk Scores are registered, Risk Level then declines slowly, because that high Risk Score takes 14 days to drop out of the Risk Level calculation.

    For definitions of these risk levels, see Processing Problems from the Problems Snapshot.

  • Tactic - from the perspective of the MITRE ATT&CK Framework, the sighting would be classified as an instance of this MITRE tactic. For example, Privilege Escalation or Credential Access.
  • Technique - from the perspective of the MITRE ATT&CK Framework, the sighting would be classified as an instance of this MITRE technique or subtechnique. For example, Password Guessing or Exfiltration to Cloud Storage.
  • Resource Profile - the collection of information that Cloud Guard has observed for specific resources that might be under attack, as indicated by the Risk Score derived from the correlated sightings. This information includes sightings, scores, and resource IDs. As Cloud Guard monitors targets, it creates profiles for the resources it observes, and creates sightings as malicious behaviors are detected. Currently, the resource profile is always focused on a user.

Parameters Reported for Sightings

The following parameters are also monitored. Some of these parameters appear on only the Threat Monitoring page or the Threat Monitoring Details page.

  • Resource, Resource ID, Resource Name - an identifier for the resource targeted in the sighting.
  • Compartment - the OCI compartment where the resource is located.
  • Target - the Cloud Guard target containing the OCI compartment.
  • Regions - the region or regions in which the sighting was detected.
  • First Detected - the date and time at which the sighting was first detected.
  • Last Detected - the date and time at which the sighting was last detected.
  • Peak Risk Score - the highest risk score for a particular risk profile.
  • Peak Date - the date of the highest risk score for a particular risk profile.
  • Endpoint ASN - the Autonomous System Number associated with the endpoint IP address identified in a sighting.
  • Endpoint Service - the particular services used from the endpoint identified in a sighting.
  • Endpoint Type - if the IP address is known to the OCI Threat Intel service, it's declared "suspicious" and the IP address becomes a link to the information in that service.

Viewing Threat Information

From the Threat Monitoring page, you can see resource profiles and their key attributes to quickly identify the highest priority events.

Prerequisite: Enable the OCI Threat Detector recipe in at least one Cloud Guard target that's:

  • Defined in your environment, and...
  • Contains the root compartment.
Note

When you create a target, Cloud Guard requires an Activity Detector Recipe and a Configuration Detector Recipe to be attached. If you don't want to enable those detectors on the target, you can remove them after you finish creating the target. See Modifying Recipes Added to a Target.

See Creating a Target. To add the OCI Threat Detector recipe after you finish creating the target, see Modifying Recipes Added to a Target.

Note

After the preceding prerequisites are met, Cloud Guard begins a learning period. This learning period varies in length from a few hours to a few days, depending on the sighting type. Cloud Guard doesn't actually start monitoring to detect threats until after the learning period is past. If no suspicious activity is occurring, you still see no threat information on the Threat Monitoring page.
  1. From the Cloud Guard options panel on the left, select Threat Monitoring.
  2. To change the scope for which threats are included, in the Scope section, below the Cloud Guard options panel on the left select a different:
    • Compartment.

      The compartment you select, and all compartments below it, are included in the scope.

    • Tag filters specification.
      • Click add, then fill in the Tag Filters dialog box.
      • Repeat the previous step to add another tag filter.

        Multiple tag filters are AND'ed; all must be matched.

      • To clear one tag filter only, click the "X" on the tag filter box,
      • To clear all tag filters, click clear.
  3. To filter the list on dates and risk score values, make selections from the lists below the chart at the top of the page.
  4. To filter the list on other parameters, click Add Filter, make a selection from the list, and select one or more values.
    • Repeat the previous step to add another parameter filter.

      Multiple parameter filters are AND'ed; all must be matched.

    • To clear one parameter filter only, click the "X" on the parameter filter button,
    • To clear all parameter filters, click Clear All Filters.
  5. View Risk Score changes over time in the 30-day Risk Score Trend chart at the top of the page.
    • By default, the chart graphs overall risk scores for the resource profiles with the top 10 risk scores over the past 30 days.
    • Change the data displayed by making a different selection from the Top 10 list in the top-right corner of the chart. These options are typically shown for a shorter time period:
      • Risk scores
      • Fastest growing risk scores
      • Most recently detected
      • Most recently added
  6. To highlight the graph information for a particular resource profile, hover over the name in the list below the Top 10 selection box.
  7. To view specific risk score information for a point in the graph, hover over the point.
    The resource profile for the risk score information is also highlighted, in the list below the Top 10 selection box.
  8. View information for a particular resource profile.
    1. To open the Threat Monitoring Details page for that resource profile, click the link in the Resource profile column.
    2. The General Information tab summarizes the threat.
    3. The 30-day Risk Score Trend chart shows Risk Score changes over time for this particular resource profile.
    4. The Sightings section lists the sightings that factor into the risk score.
    5. Under Resources, in the lower left corner, select another resource to display different information:
      • Impacted Resources shows information on the resources involved.
      • Endpoints shows the IP addresses involved.
  9. If the Risk Score for this Resource Profile on the Threat Monitoring page is 80 or greater:
    • A problem has been triggered.
    • To process the problem, click the link in the Risk profile column, then on the Threat Monitoring Details page, in the General Information tab at the top, click the problem name link, next to Problems.
    • For guidance on processing problems, see Processing and Resolving Problems on the Problems Page.