Question: How risk score is calculated?

[michaelhidalgo]

Hi folks, first off, thanks for making this repository open source.

Second, had I been paying attention, I would have noticed that each rule has a risk rating associated to it, may I ask how is that risk calculation being created? or is it part of the secret sauce?

Thanks.

[rw-access]

I assigned @randomuserid to chime in.

Until then: From what I remember (may be flawed and soon corrected), we pick values that fit neatly at the upper end of quartiles (0-25, 26-50, 51-75, 76-100). I think we also avoid those numbers at the boundaries, and that's how we arrive at numbers like: 21, 47, 73, 99.

[michaelhidalgo]

I see, yeah I was trying to see if there was some sort of risk model such as exploitability * impact or level up in the cyber kill chain (a.k.a a Lateral movement technique has a higher score than Initial Access technique because the impact is higher to the organization).

Would be nice to have something like that explaining that risk model :)

[michaelhidalgo]

So @randomuserid any feedback? :)

[randomuserid]

So by default, risk scores are aligned with severity as described above. Risk scores, like many aspects of the rules, are adjustable, because different organizations have different security postures and risk calculations so there is often not a good one-size-fits-all value. For example, many environments would consider direct SSH or RDP access, or even direct HTTP|S (not traversing a firewall, balancer or other security device) to be high risk. Some cloud-native environments, or development and staging environments, consider this to be less risky and more like normal behavior. Each set of users can adjust risk scores up or down according to local conditions.

Another way risk score can be used is when an emerging threat creates a high-priority risk that will be mitigated within a matter of hours or days. Risk score can be adjusted upwards pre-mitigation and downwards post-mitigation to reflect local conditions. Yet another way is to consider the classes of events themselves. For example, if you have a netsec device that produces good detects but also produces a number of false positive XSS alerts, you could make a pair or rules, one of which lowers risk scores for the XSS category of alerts and one that raises risk scores for the other higher-confidence alerts produced by the source device(s).

Several directions for automated adjustments of risk scores have been proposed including using conditions and lists; asset or GRC data; and machine learning approaches. The reason for the last idea is the the second, GRC and asset data, while a traditional way to calculate risk scores, is not always complete or accurate, particularly in cloud native environments.

We are always interested in feedback on what you would like to see. Hope you enjoy the repo and thanks for engaging!

[michaelhidalgo]

thanks for the elaborated answer @brokensound77 !