RiskVision attack stage definitions

Incidents | TRITON RiskVision | v2.1 | 02-Jun-2016

Most of the attack stages correspond to the Forcepoint Security Labs 7 stages of advanced threats. These are:

Recon: content explicitly used for reconnaissance with malicious intent (threat stage 1)

Lure: content that lures the user and starts the infection chain (threat stage 2)

If more detailed information is known about the incident at this stage, it is classified into one of the other reason codes in this section.

Phishing: a page that attempts to use social engineering for Phishing purposes

Fraud: a page that attempts to use social engineering to defraud the user

Black SEO: a compromised web page that contains links that are used for black hat SEO. Black hat SEO encompasses various methodologies that attempt to raise websites in search engine rankings in violation of search engines' terms of service.

Unsolicited Content: content that is not malicious that was delivered in an unsolicited way (coming through email spam or web spam)

Installer Page: a web page that uses a social engineering trick to install malicious or unwanted software on the user's computer

Defacement: a compromised web page that was defaced and doesn't serve malicious content

Hack Tool: a web page that allows the user to download or use a a tool that can be used for malicious or illegal purposes

Redirection: a URL or host that represents a connection point between the lure and the exploit page or other payload (threat stage 3)

Exploit: malicious content that serves obfuscated or non-obfuscated exploits (threat stage 4)

Exploit Kit: malicious content that is part of an exploit kit (a toolkit that automates vulnerability exploitation) that serves obfuscated or non-obfuscated exploits (threat stage 4)

Dropper File: traffic associated with a malicious or unwanted file that is downloaded to the victim's machine after either a successful exploit attempt or a successful social engineering trick (threat stage 5)

Call Home: traffic originating from malicious software to command and control servers, requesting instructions, updates, and new malware to expand the attack footprint (threat stage 6)

Backchannel Traffic: traffic that originates from a file that is malicious or unwanted (threat stage 6)

Data Theft: content that contains stolen data (threat stage 7)

Some threats don't correspond to a single stage in the kill chain. For threat-related behaviors that go beyond a single stage, there are the following additional attack stage values:

Obfuscation: obfuscated web content that fits different threat stages once the obfuscation is removed.

Evasion: web pages that are used to evade a proxy (goes with the Proxy Avoidance category).

Detection Test: test web pages designed to test that the detection capability of a product deployment (e.g., EICAR files or Forcepoint test portal, etc.)

Threat is used as a generic reason code for malicious content that does not fit a more specific threat type, or has not yet been assigned another reason code.

Finally, there are files and behaviors categorized as malicious because of their reputation. For these, the following attack stage values are used:

Suspicious Script: a script with suspicious traits that could be malicious or unwanted.

Suspicious Iframe: an iframe with suspicious traits that could be malicious or unwanted.

Risk: a page with suspicious artifacts that may be malicious or unwanted. Used as a generic reason code for content deemed suspicious based on reputation.