Glossary
- Asset Group – a group of devices on an organization network, such as computers, whose security is managed by empow using security applications
- Classification Center – empow cloud service that enriches i-SIEM
- DPI – Deep Packet Inspection, inspection of the data part of network packets in addition to the header section, by network devices to identify malware
- Device – any network component that communicates with i-SIEM
- Flexible Plugin – a custom parser, with definitions to parse specific device log data and extract information for a security service; can be used as a security device
- NTA – Network Traffic Analytics, analysis of network traffic to identify abnormal trends and patterns
- SoA – Score of Anomaly, used in NTA and UEBA engines to express the strength of an anomaly
- Tactic – Stage in an attack sequence conducted by an attacker to achieve a goal
- Technique – A method used by attackers to achieve a goal in their attack process
- Tenant – an entity representing multiple assets in the protected organization
- UEBA – User and Entity Behavioral Analytics – analysis of user or entity-specific event information, such as access logs, to identify anomalous behavior
Entity Confidence Score
The confidence level given to an entity is calculated based on weighted number of evidences that were correlated together, due to logical causes and effect attack sequences.
The possible confidence levels are:
High – 
Medium – 
Low – 
Info – 
Each cause and effect correlation sequence gets a weighted score according to the correlation strength. The more immediate the attack sequence, the higher the confidence score.
In the case of a spearphishing link technique (event 1) on a victim, followed by evidence of a malicious link user execution technique (event 2) on the same victim, then those two evidences will get strong correlation, as this sequence is an immediate step in terms of an attack scenario.
In the case of a spearphishing attachment technique (event 1) on a victim, followed by a collection of data from local system technique (event 4) performed by the previous evidence victim, then, although this sequence makes sense, there are a few step gaps. Usually, we would expect to see execution of the malicious attachment delivered via email and maybe even a credential access technique when trying to access the shared repository.
In the examples above, the confidence score will be higher in the first case than in the second case.
Entity Risk Score
The risk level given to an entity is calculated based on the techniques detected on the entity, while considering per technique the entity role, either victim or performer and the action performed by the reporting data source.
The possible Risk levels are:
High – 
Medium – 
Low – 
Below is a list of tactics and techniques, each with its associated risk levels:
*Note: the risk for technique that is not mentioned below will be determined according to its tactic.
| Name | Type | Victim Risk | Performer Risk |
|---|---|---|---|
| Abuse Elevation Control Mechanism | Technique | |
|
| Access Token Manipulation | Technique | |
|
| BITS Jobs | Technique | |
|
| Boot or Logon Autostart Execution | Technique | |
|
| Boot or Logon Initialization Scripts | Technique | |
|
| Brute Force | Technique | |
|
| Create or Modify System Process | Technique | |
|
| Credential Dumping | Technique | |
|
| Data Encrypted for Impact | Technique | |
|
| Defacement | Technique | |
|
| Disabling Security Tools | Technique | |
|
| Drive-by Compromise | Technique | |
|
| Endpoint Denial of Service | Technique | |
|
| Event Triggered Execution | Technique | |
|
| File and Directory Permissions Modification | Technique | |
|
| Group Policy Modification | Technique | |
|
| Hijack Execution Flow | Technique | |
|
| Input capture | Technique | |
|
| Internal Spearphishing | Technique | |
|
| Man-in-the-Middle | Technique | |
|
| Modify Authentication Process | Technique | |
|
| Network Denial of Service | Technique | |
|
| Network Sniffing | Technique | |
|
| New Service | Technique | |
|
| Policy Violation | Technique | |
|
| Pre-OS Boot | Technique | |
|
| Process Injection | Technique | |
|
| Redundant Access | Technique | |
|
| Registry Run Keys / Startup Folder | Technique | |
|
| Remote Access Tools | Technique | |
|
| Scheduled Task/Job | Technique | |
|
| Scripting | Technique | |
|
| Sudo | Technique | |
|
| Suspicious Connectivity | Technique | |
|
| Traffic Signaling | Technique | |
|
| Use Alternate Authentication Material | Technique | |
|
| Valid Accounts | Technique | |
|
| Virtualization/Sandbox Evasion | Technique | |
|
| Web Shell | Technique | |
|
| Windows Management Instrumentation | Technique | |
|
| Collection | Tactic | |
|
| Command and Control | Tactic | |
|
| Credential Access | Tactic | |
|
| Defense Evasion | Tactic | |
|
| Discovery | Tactic | |
|
| Execution | Tactic | |
|
| Exfiltration | Tactic | |
|
| Impact | Tactic | |
|
| Initial Access | Tactic | |
|
| Lateral Movement | Tactic | |
|
| Persistence | Tactic | |
|
| Privilege Escalation | Tactic | |
|
Device Response Action
An Observer Action is a normalized empow property that considers the action performed by the data source the event was received from. The data source can be, for example, a firewall, WAF or URL filtering that denies or allows traffic, email security that blocked or quarantined messages or an EDR that terminates a process or deletes a file.
empow categorizes these into Mitigated / No Action actions. A Mitigated action is considered any step taken by the observer that actually mitigated the attack and lowered the risk of the detected threat. No Action is exactly the opposite – the observer was only alerted on the event, and no further action was applied.
Here is a list of actions that are included in each category:
- Mitigated – deny, block, process terminated, quarantine, delete, email removed, file deleted
- No Action – allow, permit, alert, none
Reputation
As SOC analysts, we aspire to classify all our organizations’ files according to the probability of their being malicious. Since the number of files is usually high and rising each day, we should focus our efforts on those that are indicated to be suspicious.
The classification process should be as automated and clear as possible. empow uses reputation engines to determine file reputation by sending their hash to a variety of reputation engines.
The reputation engines’ response has the following classification options to choose from malicious, benign, and unknown.
Malicious – The file has been previously inspected and discovered to be malicious. Usually, an additional description will be appended. Benign – The file has been previously inspected and found to be trusted. Unknown – The file was not inspected yet and its reputation is not determined.
In several cases, if the file was determined to be malicious, its reputation was updated just several hours after it was declared as ‘unknown’. It is advised to check the status regularly.
In several cases, if the file was determined to be malicious, its reputation was updated just several hours after it was declared as ‘unknown’. It is advised to check the status regularly.
At empow, we allow the SOC analyst to classify files into 4 categories:
| Malicious | The file is confirmed malicious. It is advised to take immediate actions to contain the threat by excluding it from running or maintain its spread through the network. These actions can be accomplished by adding its hash to the different cyber defense tools blacklists and to the signature database installed in the organization. |
| Suspicious | Similar to ‘unknown’ with the slight difference that the file was involved in a sequence of suspicious events. |
| Benign | The file is confirmed trusted. It is up to the analyst’s judgment whether to prevent additional false-positive results by adding its hash to the different cyber defense tools’ whitelists installed in the organization. |
| Unknown | The file is yet to be confirmed malicious or trusted. It is advised to keep following its reputation occasionally. |
In this case, empow advises on taking the following actions:
- Inspect the file using advanced inspection tools to determine whether it is malicious.
- Consider limiting the file impact through spreading or execution by adding its hash to the blacklist.