Documentation

Google Threat Intelligence Indicator Score

Our threat scoring system is designed to help SecOps teams prioritize the most significant security threats. We calculate threat scores for various entities, including files, domains, IP addresses, and URLs. This document will explain the logic behind our scoring system and provide guidance on interpreting those scores.

The Google Threat Intelligence scoring system, helps customers quickly prioritize and address potential security risks in your environment. The Google Threat Intelligence Score is a numeric representation of the likely impact a particular indicator (file, domain, IP address, or URL) may have if detected in an environment. Our scoring system leverages a wealth of threat intelligence data and codifies the expertise of Mandiant threat analysts to derive a score from 0 - 100.

How the Google Threat Intelligence Score is Derived

The Google Threat Intelligence score is a function of the Verdict and Severity, and leverages additional internal factors to generate the score.

Scoring Logic

Our threat scoring system has two key components:

  • Verdict: Determines the likelihood that the entity is malicious. Possible verdicts include:

    • Malicious: High confidence that the entity poses a threat.
    • Suspicious: Possible malicious activity detected, requires further investigation.
    • Undetected: No immediate evidence of malicious intent.
    • Benign: The entity is considered harmless.

  • Severity: If the verdict is not "benign", this assesses the potential impact of the malicious entity. Possible severity levels include:

    • High: Immediate action is recommended; the threat could have a critical impact.
    • Medium: Indicates a potential threat that warrants attention.
    • Low: The threat likely has a minor impact but should still be monitored.

How Threat Scores are Determined

Threat scores are determined by a comprehensive set of factors which are expanding and evolving. The exact score and weighting depends on whether we're assessing a file, domain, IP address, or URL.

File Coverage

  • Verdict

    • The file is ruled Malicious if it has been detected by trusted threat intelligence sources (Mandiant, Google, etc)
    • The file is ruled Benign if it is explicitly classified as legitimate by Google Threat Intelligence.

  • Severity

    • Severity can be None if the verdict is "benign", or not malicious without any supporting evidence.
    • Low severity examples: adware, potentially unwanted applications (PUA), cryptominers, spam, fake antivirus.
    • Medium severity examples: files linked to financial threat intelligence sources, specific detection names indicating exploits, rootkits, or hack tools.
    • High severity examples: files linked to known malware or ransomware threats, or files exhibiting ransomware-like behavior based on antivirus detection patterns.

Domain Coverage

  • Verdict

    • A domain is ruled Benign if popularity is high (top 10,000), or explicitly excluded by Mandiant.
    • A domain is ruled Malicious if it's rated highly malicious by Mandiant analytics or Google SafeBrowsing.
    • Suspicious verdicts occur when scores are above a threshold but lower than conclusive malicious ratings.
    • Several other factors can influence the verdict, including indications of domain hijacking.

  • Severity

    • Severity is initially None if the verdict is "benign."
    • Severity depends on factors like category (adware, ransomware), threat intelligence sources, and indicators in downloaded and related files.

IP Address Coverage

  • Verdict and Severity follow a logic structure very similar to Domain Coverage, adjusting for the specific factors relevant to IP addresses.

URL Coverage

  • Verdict and Severity logic is also similar to Domains and IP Addresses, tailored for the unique properties of URLs.

Key Contributing Factors

Our threat scoring system takes the following factors into account (among others):

  • Number of detections
  • Specific detection keywords
  • Presence on reputable threat intelligence lists
  • Classification categories (virus, ransomware, spam, etc.)
  • Evidence of suspicious behavior in sandbox environments
  • Links to known malicious files or threat infrastructure
  • Domain reputation and popularity
  • Safe browsing classifications (Google SafeBrowsing)
  • Attributions (Actors, Malware, Campaigns, Collections etc)

Customer Guidance

Security teams should prioritize entities with "Malicious" verdicts and "High" severity scores. We recommend further investigation of "Suspicious" verdicts and careful monitoring of all entities with severity scores greater than "None."

Key points

  • The Google Threat Intelligence Score is designed to reflect the potential impact of a threat. Higher scores indicate a greater risk to your environment, but risk can only be assessed by using customer derived factors.
  • The verdict and severity classifications are the primary drivers of the Google Threat Intelligence Score.
  • Specific categories, threat intelligence sources, and analyst expertise all contribute to the final score.
  • The score is updated if a new scan is requested or as new factors affecting the scoring are observed.

Updated 4 months ago