Indicator summary by hash
Hi!
We're a few months into testing TDR on our systems. A few days ago, we started rollout on our student pc pools (30-40 hosts each). Whenever a software update trips the heuristics on the host sensor, at least 2-4 indicators are created per host but most of them have the same hash. With >800 Indicators that have to be dealt with, the one indicator that might be a real threat flies under the radar and might even be disregarded with all the false-positives. Of course this will only get worse the more clients we add. With a view-by-hash or view-by-threat feature that lists the active hashes of the indicators, number of affected clients, if possible the filename or folder of the indicator and the threat information, identifying real threats could be made much easier. Adding to that, if you identified an identical false-positive indicator that was generated on hundreds of hosts, disregarding these indicators or allowing the hashes all at once would also be much easier. Maybe you could even add an automatic filter by hash to the existing indicator list when you click on a specific hash in this new list.
Comments
Good morning hfwu! First, thank you for the feedback. I will do some research to see if those reporting methods you suggest are viable. For a bit of background, I will explain our scoring system in the hopes of helping clear things up.
TDR has a scoring scale to show items that are Suspicious, Potentially Malicious, and Absolutely Malicious.
Any indicator colored RED is Absolutely Malicious and without changing any policy but setting the Cybercon level to 3, those items will be remediated automatically and immediately.
Any indicator colored Orange is Potentially Malicious. These are items you may want to double check manually to ensure they are legitimate. They can be remediated automatically if the Cybercon is set to 2, but we don't recommend that under normal circumstances.
Any indicator colored Yellow is Suspicious. According to our experience, they have characteristics that can be malicious, but we don't have corroborating threat intelligence they are. We leave them in this Yellow score while we corroborate with Threat Intelligence and cloud sandboxing. Over time these yellow indicators will at some point be determined to be either malicious or benign. Until then these should just be considered unclassified instead of a false positive. If an indicator is left at this yellow state for an extended period of time, I would say it is not worth analyzing and let the 30 day age of period remove the indicator from the dashboard.
I hope this helps!
Ricardo Arroyo | Principal Product Manager / ThreatSync Guru
WatchGuard Technologies, Inc.
Ricardo, what does WatchGuard recommend as a best-practice setting for the CyberCon level?
Gregg Hill
Good morning Greg. We recommend keeping the Cybercon level at 3 when using the default policies. If you add custom policies, then the cybercon is your choice.
Ricardo Arroyo | Principal Product Manager / ThreatSync Guru
WatchGuard Technologies, Inc.