-
Notifications
You must be signed in to change notification settings - Fork 333
Detection scoring
Marcus Bakker edited this page Jul 8, 2019
·
6 revisions
DeTT&CT describes seven scores for detection. A score may not always be a perfect fit. Use the score that fits the best. The scores are explained in two tables:
These scoring tables are also included in the following Excel file: scoring_table.xlsx.
| Score | Score name | Description |
|---|---|---|
| -1 | None | No detection. |
| 0 | Forensics / context | No detection, but the technique is being logged for forensic purposes and can be used to provide context. |
| 1 | Basic | Detection is in place using a basic signature to detect a specific part(s) of the technique's procedures. Therefore, only a minimal number of aspects of the technique are covered. Hence the number of false negatives is high and possible (but not necessarily) a high false positive rate. Detection is possibly not real time. |
| 2 | Fair | The detection no longer only relies on a basic signature but makes use of a (correlation) rule to cover more aspects of the technique's procedures. Therefore, the number of false negatives is lower compared to "1/Poor" but may still be significant. False positives may still be present. Detection is possibly not real time. |
| 3 | Good | Effective in detecting malicious use of the technique by making use of more complex analytics. Many known aspects of the technique's procedures are covered. Bypassing detection by means of evasion and obfuscation could be possible. False negatives are present. False positives may still be present but are easy to recognize and can possibly be filtered out. Detection is real time. |
| 4 | Very good | Very effective in detecting malicious use of the technique in real time by covering almost all known aspects of the technique's procedures. Bypassing detection by means of evasion and obfuscation methods is harder compared to level "3/good". The number of false negatives is low but could be present. False positives may still be present but are easy to recognize and can possibly be filtered out. |
| 5 | Excellent | Same level of detection as level "4/very good" with one exception: all known aspects of the technique's procedures are covered. Therefore, the number of false negatives is lower compared to level "4/very good". |
| Score | Score name | Degree of detection | Timing | Coverage of the technique | Opportunities to bypass detection | False Negatives | False Positives |
|---|---|---|---|---|---|---|---|
| -1 | None | None | N/A | None | N/A | N/A | N/A |
| 0 | Forensics / context | None | Possibly not real time | None | N/A | N/A | N/A |
| 1 | Basic | Signature based | Possibly not real time | Small number of aspects of the technique | Bypassing (evasion/obfuscation) could be possible | High | Possibly high |
| 2 | Fair | (Correlation) rule(s) | Possibly not real time | More aspects of the technique compared to "1/Basic" | Bypassing (evasion/obfuscation) could be possible | Less high | May be present |
| 3 | Good | More complex analytics | Real time | Many known aspects of the technique | Bypassing (evasion/obfuscation) could be possible | Present | May be present but are easy to recognize and can possibly be filtered out. |
| 4 | Very good | More complex analytics | Real time | Almost all known aspects of the technique | Bypassing (evasion/obfuscation) is hard | Low | May be present but are easy to recognize and can possibly be filtered out. |
| 5 | Excellent | More complex analytics | Real time | All known aspects of the technique | Bypassing (evasion/obfuscation) is hard | Very low | May be present but are easy to recognize and can possibly be filtered out. |
- Home
- Introduction
- Installation and requirements
- Getting started / How to
- Changelog
- Future developments
- ICS - Inconsistencies
- Introduction
- DeTT&CT data sources
- Data sources per platform
- Data quality
- Scoring data quality
- Improvement graph