0% found this document useful (0 votes)
14 views10 pages

Scoring Table

Uploaded by

abouhdyd
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
14 views10 pages

Scoring Table

Uploaded by

abouhdyd
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 10

Detection scores

Score Score name Description


-1 None No detection.
0 Forensics / context No detection, but the technique is being logged for
forensic purposes and can be used to provide context.
1 Basic Detection is in place using a basic signature to detect a
specific part(s) of the technique’s procedures. Therefore,
only a minimal number of aspects of the technique are
covered. Hence the number of false negatives is high and
possible (but not necessarily) a high false positive rate.
Detection is possibly not real time.

2 Fair The detection no longer only relies on a basic signature


but makes use of a (correlation) rule to cover more
aspects of the technique's procedures. Therefore, the
number of false negatives is lower compared to "1/Poor"
but may still be significant. False positives may still be
present. Detection is possibly not real time.

3 Good Effective in detecting malicious use of the technique by


making use of more complex analytics. Many known
aspects of the technique's procedures are covered.
Bypassing detection by means of evasion and obfuscation
could be possible. False negatives are present. False
positives may still be present but are easy to recognize
and can possibly be filtered out. Detection is real time.

4 Very good Very effective in detecting malicious use of the technique


in real time by covering almost all known aspects of the
technique's procedures. Bypassing detection by means of
evasion and obfuscation methods is harder compared to
level "3/good". The number of false negatives is low but
could be present. False positives may still be present but
are easy to recognize and can possibly be filtered out.

5 Excellent Same level of detection as level "4/very good" with one


exception: all known aspects of the technique's
procedures are covered. Therefore, the number of false
negatives is lower compared to level "4/very good".
Detection scores
Score Score name Degree of detection Timing

-1 None None N/A


0 Forensics / context None Possibly not real time
1 Basic Signature based Possibly not real time

2 Fair (Correlation) rule(s) Possibly not real time

3 Good More complex analytics Real time

4 Very good More complex analytics Real time

5 Excellent More complex analytics Real time


Coverage of the technique Opportunities to bypass detection

None N/A
None N/A
Small number of aspects of the technique Bypassing (evasion/obfuscation) could be
possible
More aspects of the technique compared to Bypassing (evasion/obfuscation) could be
"1/Basic" possible
Many known aspects of the technique Bypassing (evasion/obfuscation) could be
possible
Almost all known aspects of the technique Bypassing (evasion/obfuscation) is hard

All known aspects of the technique Bypassing (evasion/obfuscation) is hard


False Negatives False Positives

N/A N/A
N/A N/A
High Possibly high

Less high May be present

Present May be present but are easy to recognize


and can possibly be filtered out.
Low May be present but are easy to recognize
and can possibly be filtered out.
Very low May be present but are easy to recognize
and can possibly be filtered out.
Visibility scores
Score Score name Description
0 None No visibility at all.
1 Minimal Sufficient data sources with sufficient quality available to
be able to see one aspect of the technique's procedures.

2 Medium Sufficient data sources with sufficient quality available to


be able to see more aspects of the technique's
procedures compared to "1/Minimal".

3 Good Sufficient data sources with sufficient quality available to


be able to see almost all known aspects of the
technique's procedures.

4 Excellent All data sources and required data quality necessary to


be able to see all known aspects of the technique's
procedures are available.
Data sources - legend
Score Score name Description
0 0 No data sources
1 1-25% 1-25% of data sources available

2 26-50% 26-50% of data sources available


3 51-75% 51-75% of data sources available

76-99% 76-99% of data sources available

4 100% 100% of data sources available


Data quality - dimensions
Dimensions Description Questions?
Device completeness Indicates if the required data is When doing a hunting
available for all devices. investigation can we cover all
devices/users that we need to?

Data field completeness Indicates to what degree the Are all the required data fields
data has the required in the event present and
information/fields, and to what contain data to perform my
degree those fields contain investigation?
data.

Timeliness Indicates when data is Is the data available right away


available, and how accurate when we need it?
the timestamps of the data are
in relation to the actual time an Do the timestamps in the data
event occurred. represent the time the record
was created or ingested?

Consistency Says something about the Can we correlate the events


standardisation of data field with other data sources?
names and types.
Can we run queries across all
data sources using standard
naming conventions for specific
fields?

Retention Indicates how long the data is For how long is the data
stored compared to the available?
desired data retention period.
How long do you want to keep
the data?
Example
We are missing event data for
endpoints running an older
version of Windows.

We have proxy logs, but the


events do not contain the
"Host" header.

We have a delay of 1-2 days to


get the necessary data from all
endpoints into the security
data lake.

Timestamps are representing


not the time an event
occurred, but ingestion time in
the security data lake.

Field names within this data


source are not in line with that
of other data sources.

Data is stored for 30 days, but


we ideally want to have it for 1
year.
Data quality - scores
Score Device completeness Data field completeness
0 - None Do not know / not documented Do not know / not documented
/ not applicable / not applicable
1 - Poor Data source is available from Required fields are available
1-25% of the devices. from 1-25%.

2 - Fair Data source is available from Required fields are available


26-50% of the devices. from 26-50%.
3 - Good Data source is available from Required fields are available
51-75% of the devices. from 51-75%.

4 - Very good Data source is available from Required fields are available
76-99% of the devices. from 76-99%.
5 - Excellent Data source is available for Required fields are available
100% of the devices. for 100%.
Timeliness Consistency Retention
Do not know / not documented Do not know / not documented
/ not applicable / not applicable Do not know / not documented
/ not applicable
It takes a long time before the 1-50% of the fields are Data retention is within 1-25%
data is available. standardized in name and type. of the desired period.

The timestamps in the data


deviate much from the actual
time events occurred.

Data retention is within


26-50% of the desired period.
It takes a while before the data 51-99% of the fields are Data retention is within
is available, but is acceptable. standardized in name and type. 51-75% of the desired period.

The timestamps in the data


have a small deviation with the
actual time events occurred.

Data retention is within


76-99% of the desired period.
The data is available right 100% of the fields are Data is stored for 100% of the
away. standardized in name and type. desired retention period.

The timestamps in the data are


100% accurate.

You might also like