BlueDog - Severity & Risk Levels

BlueDog - Severity & Risk Levels

Please see below an explanation of BlueDog's severity & risk levels. Please note this information can also be downloaded via this link.

SEVERITY LEVELS - MONITORING

CRITICAL

Emergency Situation – Active Cyber Attack
Evidence of an attacker operating from an escalated account (i.e. admin), malware or attack behavior on a high value host ie Domain Controller. Multiple machines displaying attack behavior, data exfiltration. Poses imminent or critical threat to the infrastructure or organisation.

SEVERE

Immediate functional impact
Successful unauthorized logins, manual malicious commands being run on a host signifying an active persistent threat, multiple machines displaying similar attack evidence. Likely to result in significant impact to the organisation.

HIGH

High Possibility of Functional Impact
Credential loss due to phishing, verified malware execution on one or more hosts, detection of unauthorized program tasks or user activities. Likely to result in demonstrable impact to the organisation.

MEDIUM

Moderate Possibility of Functional Impact
Malware quarantined or blocked, suspicious email(s) quarantined, suspicious inbound/outbound connections blocked, evidence of suspicious sign-in attempts/failures. May impact the organisation.

LOW

Slight possibility of functional impact
Vulnerable services discovered or security risks. Unlikely to immediately impact the organisation.

RISK LEVELS - VAPT

Based on the approach described above, there are 5 levels. When assessing the issues found, the following categories were used to indicate the impact:

LEVEL 5 : CRITICAL RISK

The Critical level is used for issues that:
  1. give an attacker complete control over a system from a remote location
  2. give an attacker full access to (business) critical data
  3. damages the availability after the attack permanently without any conditions
Characteristics of issues at this level are:
  1. an attacker does not need any (special) rights to carry out the attack
  2. an attacker does not need (specific) knowledge of the system or users
  3. an attacker does not have to convince users (for example by social engineering) to act for the attack to succeed
  4. exploits and tooling are publicly available
Issues at this level can be automatically exploited by, for example, worms and tooling. Examples of such issues are attacks that can be used to remotely execute code on the system, SQL injection and persistent cross-site scripting attacks that do not require authentication and Denial of Service attacks with a lasting effect.

LEVEL 4 : HIGH RISK

Issues in the High category are problems that:
  1. give an attacker complete control over a system from a remote location
  2. give an attacker full access to (business) critical data
  3. damages the availability after the attack permanently, but require one of the following conditions must be met:
    1. an attacker needs (special) rights to perform the attack (e.g. an account or access to the internal network)
    2. an attacker needs specific knowledge of the system or users (for example, a non-standard configuration or knowledge of an application)
    3. an attacker must convince a user (for example, through social engineering) to act for the attack to succeed
    4. exploits and tooling are not publicly available and have to be developed by the attacker
Issues at this level can be exploited in a targeted attack on employees or by (internal) users who have specific knowledge of the system. Examples are the ability to access administrator functionalities as a standard user (vertical privilege escalation), SQL injection and persistent cross-site scripting where authentication is required, being able to access company or system-critical information that should not normally be accessible to the user and Denial of Service attacks with lasting effect that can only be executed from the internal network.

LEVEL 3 : MEDIUM RISK

Issues in the Medium category are problems that:
  1. only give an attacker control over a system
  2. only give an attacker partial access to (business) critical data
  3. it only affects availability during an attack and for which one of the following conditions must be met:
    1. an attacker needs (special) rights to perform the attack (eg an account or access to the internal network)
    2. an attacker needs specific knowledge of the system or users (for example, a non-standard configuration or knowledge of an application)
    3. an attacker must convince a user (for example, through social engineering) to take action for the attacker
    4. exploits and tooling are not publicly available
Issues at this level can be exploited in a targeted attack on employees or by (internal) users who have specific knowledge of the system. Examples are being able to access functionalities of other users (horizontal privilege escalation), reflected cross-site scripting attacks or partially accessing business or system-critical information that should normally not be accessible to the user.

LEVEL 2 : LOW RISK

Issues in the Low category are problems that are very difficult to abuse or where the effects have a low impact on the system or business. Examples are attacks that can only be executed if an attacker has direct access to a system or attacks that have minimal impact on availability during an attack.

LEVEL 1 : INFORMATIONAL

The Informative level is used for issues that cannot be directly exploited but can help an attacker to plan or execute a follow-up.

In addition, a sixth category is used in the report:

LEVEL 0 : POSITIVE

This level is used for findings during the test that actively prevented an attempt and thus make a positive contribution to the overall safety of the system.

    • Related Articles

    • rhipe Ordering Form Links

      Please see below a list of links to rhipe's ordering form for various vendor programs. Zoom: https://rhi.pe/rhipezoomorderform Adobe: https://rhi.pe/rhipeadobeorderform Fortinet: https://rhi.pe/rhipefortinetorderform ...
    • How to access Azure Usage Reporting in PRISM?

      Azure Usage Monitoring in PRISM Within PRISM there is Azure usage monitoring report that customers have access to. These reports are designed to enable customers to monitor their Azure usage against various levels of data.  To access "Azure Usage ...
    • GDAP

      GDAP GDAP ( Granular Delegated Admin Privileges ) Introduction GDAP capabilities allow partners to control access to their customers' workloads in order to better address their security concerns. Partners can offer more services to customers who may ...
    • Setting Up AutoTask

      To set up AutoTask as your PSA system through PRISM Connect, please follow the below steps before moving on to the next phase. Create or Access AutoTask Account New Account: Create an AutoTask account by visiting the AutoTask website selecting Get A ...
    • Audit Reports in PRISM

      Within PRISM there are three different types of audit reports that Partners have access to. These reports are designed to enable auditability to users actions in PRISM against various levels of data.  Tenant Audit Report - this report is useful to ...