At LookingGlass Cyber we want to make sure you get answers to important product questions so you can use scoutPRIME as efficiently and effectively as possible.
Below are frequently asked questions from customers about scoutPRIME features and functionalities. We hope that this information can help you accomplish your security goals and mission.
Feel free to also submit your questions at, [email protected].
TIC and TIC Score FAQs
Q. What is TIC?
A. The Threat Indicator Confidence (TIC) Score is a comprehensive, multi-dimensional score that measures the likelihood that a network element has been compromised, is vulnerable to compromise, or is a likely target for future compromise. The algorithm for TIC factors network proximity, multi-source corroboration, impact of compromise, and time of observed compromise.
This powerful algorithm by design brings together multiple dimensions of analysis into a single score from 00-100. Factors include:
· Trustworthiness of the intelligence source
· Risk and presence of compromise
· Impact of compromise
· Class of compromise
· Network relationship to compromise
· Corroboration of observation
· Volume of compromises
· Time since observed compromise
Using the TIC score, and any associated intelligence that goes with it, can help you better analyze risk.
scoutPRIME provides a TIC Score for:
Elements (IPs, FQDNs, CIDRs, and ASNs)
Overall collection health
Threats
Vulnerabilities
Q. How is TIC derived?
A. Each network element, collection, threat, and vulnerability is assigned a system-generated TIC score. Scores are calculated differently for each (refer to the table below).
Type | Score Calculation Summary |
IPv4, IPv6 | Composite score based on all associated ASNs, FQDNs, Threats, and Vulnerabilities |
FQDN | Composite score based on all associated ASNs, IPs, Threats, and Vulnerabilities |
ASN | Composite score based on all associated CIDRs, IPs, FQDNs, Threats, and Vulnerabilities |
CIDRs | Composite score based on all associated ASNs, IPs, FQDNs, Threats, and Vulnerabilities |
Threats | Composite score based on the source, criticality, and classification |
Vulnerability | Composite score based on the source, criticality, and classification |
Collections
| Composite score based on all elements in the collection, including associated IP addresses (v4 and v6), CIDRs, ASNs, FQDNs, Threats, and Vulnerabilities
|
Q. Why do TIC scores fluctuate?
A. TIC scores can increase if new observed threat data associated with elements, threats, and vulnerabilities from our many sources is ingested by the system. scoutPRIME will use a sophisticated algorithm to sum up the risk into a single number value.
After two weeks, if associations are deemed inactive they become Historical. This will change the TIC score, otherwise the the score will remain constant.
Q. What are the TIC levels?
A. The system assigns scores ranging from 1-100 that categorizes the current threat risks associated with various system elements. Higher numeric values indicate a greater threat potential.
Severity | Range |
Default | Score: 10 |
Critical | Score: 75-100 |
Elevated | Score: 50-74 |
Normal | Score: 1-49 |
Assigning a Score of Zero
When a score of zero is assigned to a threat, this tells the system not to include this in the calculations or the composite score. To get the system to ignore a threat, set the Criticality property score to zero, and the threat is no longer able to apply influence to any elements automatically.
Q. Why is "10" the base score?
A. The default TIC score is 10. Scores greater than 10 indicate increasing levels of risk.
Scores below 10 indicate positive assertions of risk reduction due to mitigation actions taken. There are currently no data sources providing a TIC score less than 10.
A score of 10 also means that the system hasn't registered anything necessarily positive or negative about the element, collection, etc.
Threats & Vulnerabilities FAQs
Q. Does scoutPRIME have active threats and historical threats, or just active ones?
A. scoutPRIME has historical and active threats. If you go to a specific element you can view historical threats for that element. Searching works for active threats, but you can include historical details using the API.
For more on this, click here.
Q. How long does the system keep historical threats?
A. The default set of time is six months.
Q. Which data objects are available in scoutPRIME?
A. scoutPRIME's rich data, includes the following types of objects/digital assets and elements:
IP addresses (v4 and v6)
FQDNs
CIDRs (v4 and v6)
DNS records
WHOIS information
File hashes
Threats
Vulnerabilities
Owners
Countries
GeoLocations
Enumeration details
Security Certificates
Notes
Data/Data Feeds FAQs
Q. How often to data feeds update?
A. We collect a vast set of propriety, commercial, and open source data sets on a continuous basis. While each data set is unique, the underlying data will typically update within a day.
Q. What types of metadata are in scoutPRIME?
A. The volume and set of metadata is massive. Here’s a sampling of common metadata:
First and last seen date
DNS history
WHOIS details
GeoLocations
File hashes
Product information (if applicable)
Host enumeration
Ownership details
Notes
Q. In what format(s) can I access and export the data?
A. Comma-separated values (CSV) and JSON. You can also create reports which generates PDF files.
Q. Is the data mapped in some industry standard, such as MITRE ATT&CK or Lockheed Martin Kill Chain or some other industry standard?
A. scoutPRIME data can be transformed into STIX v1.x, v2.x, or MITRE ATT&CK. If you are interested, please reach out to our customer services team at
Q. Is the data available via a TAXII server?
A. Currently, LookingGlass is exploring making data available through a TAXII server to customers. For more information about this please contact,
Collections FAQs
Q. What is a collection?
A. A collection is a set of elements that defines the attack surface of an organization, entity, or system, along with any additional information that may be available.
The elements that may be included in a collection include:
Owners
ASNs
CIDRv4, CIDRv6
FQDNs
IPv4 and IPv6 addresses
For more about Collections, click here.
You may also find our Key Terms article useful, click here.
Q. How do I build a collection?
A. You can build an "empty" collection (without doing a search first), or you can build a collection from search results. You can also create nested collections (children collections).
For a complete workflow on how to build an empty collection, click here.
For a complete workflow on how to build a collection from search results, click here.
Q. What are nested collections?
A. Nested collections are "children collections" belonging to a "parent" or main collection and can be very useful for organizing or categorizing your data into sub groups. You can nest up to three children collections.
In addition, parent collections with children have a more accurate TIC score. This is because scores "aggregate up" in a collection, meaning that the scores of children collections help derive the score of the parent collection.
For a workflow on how to create nested collections, click here.
Q. Recommended/best practices to build a collection?
A. The recommended best practices are:
Give your collection a clear, specific name to help you identify it. Avoid using names like "Collection One," "Collection from yesterday," etc.
Give your collection a description so that you or others in your team can know and understand what it is.
Set up notifications for each collection that way you can spot and keep track on any suspicious activity. For information on how to set up notifications, click here.
Take advantage of using nested collections if it will help keep your work more organized.
Q. How do I know how “complete” my collection is? (“Did I get everything?”)
A. Some techniques for ensuring you have a complete collection include:
Favoring owners - These are dynamic and pull into the collection all CIDRs and IPs.
Review DNS records on owned assets.
Check the organization's primary domains.
Run owner-based searches to find additional owned assets.
Check with the organization in question (where applicable).
Ensure you have collection groups in workspaces. Each workspace should have its own clear purpose and mission.
Using scoutPRIME FAQs
Q. What can I search for in the Search bar?
A. You can do many types of powerful searches in scoutPRIME and get back lots of enriched data.
Below are descriptions of what each of the four filters in the Search bar's drop-down menu can help you find:
All - Allows you to conduct a standard search for an online asset/element. You can search by domain name (FQDN), IP address (IPV4 or IPV6), CIDR4 and CIDR6, ASN, and Owner.
Map - Allows you to see the geolocation(s) of the online asset.
Reverse Whois - Allows you to search for domains by the name, address, telephone number, email address or geolocation of the registrant listed in current or historical Whois records.
Associated Risks - Lists any Threats and Vulnerabilities associated with an online asset/element.
To learn more about using scoutPRIME's search features, click here.
Q. What are common workflows?
A. The scoutPRIME User Documentation provides you with several common workflows that you guide on how to perform many important tasks.
One of the most common workflows on scoutPRIME is on how to create a collection - click here to learn more.
Another workflow is on how to create notifications or alerts for your collections - click here to learn more.
If you are looking for a workflow on how to conduct a search, you can find it here.
You can browse through the user documentation for more workflows and other helpful steps to maximize your use of scoutPRIME's powerful features.
Q. What are typical/standard use-cases of scoutPRIME?
A. scoutPRIME is widely used by customers to monitor the digital assets of their organization and/or vendors in their supply chain.
The platform's enriched data can inform analysts about potential cyber hazards and threats and vulnerabilities that their or another organization's digital assets could be facing.
scoutPRIME's TIC score also provides insight into the growing or decreasing risk of collected digital assets. This allows analysts to take action and mitigate risk, including third-party risk.
Q. Does scoutPRIME allow me to monitor cloud service and Internet service providers?
A. You can use scoutPRIME to monitor the digital assets of any entity, including companies that do business with you such as cloud service and Internet service providers.
Please note that the platform conducts only passive scanning of digital assets, therefore the data you receive from entities is already in the public domain.
Q. How do you associate network assets to owners?
A. Networks are associated to owners through the ASN registration.
Q. Is there a way “non-technical” users can craft automated queries for recurring analysis requests and/or integrations?
A. Users need to feel comfortable writing queries and making HTTP requests, therefore technical knowledge is needed.
Q. Does scoutPRIME have reporting?
A. Yes, you can generate many types of reports on scoutPRIME. For more details, refer to this article.
Q. Can I create “custom” reports?
A. Yes, you are able to run custom reports for:
Collection Health Summary
And, for Threat Association Daily Activity.
For more details, click here.
Q. Can I see my “most recent” risk information?
A. Yes, scoutPRIME has a Dashboard that provides you with snapshots of your workspace collections with recent TIC scores and the latest associations (threats and vulnerabilities), etc.
Recent information you will find on the Dashboard, includes:
Pinned Collections (up to 3)
Associations Added Today
New Association Count by Day
Association Count Change
Criticality of Risks, Elements, and Collections
And, more.
For more on this, see the article for The Dashboard.
Q. How do I find network assets associated with a CVE/vulnerability?
A. First, do a query or search for the element/network asset using the Associated Risks filter.
The results page will list any risks for the network element you entered in your search.
You can narrow down your search results by using the Risk filter on the left panel of the page. Choose Vulnerability.
Finally, with the filter applied, scoutPRIME will load only vulnerabilities (if any) on the results page.
These are the CVE/vulnerabilities associated with the network asset.
Q. How do I determine if any of those network assets associated with a CVE are mine or in a collection I built?
A. When you click on a CVE/vulnerability listed on a search results page, its details will display on the Element Details section. To determine if at least one of the elements of the vulnerability (shown on the left side bar) is in any of your collections, click on Associated Collections.
If the at least one element (left side bar) associated with the CVE/vulnerability is in a collection you built, the system will list it under the Associated Collections section of the page.
Q. There are a lot of indicators in the platform, so for example, how do I know which malware indicators are the ones delivering the malware/attacking, and which indicators are the ones where someone has been infected by malware?
A. There are “keywords” in the indicators and within the enrichment fields that LookingGlass adds to the data sources scoutPRIME is aggregating and correlating.
These keywords indicate to the user which indicators, and their related IoCs, are “attacker infrastructure” vs. “victim/infected infrastructure.” By leveraging these pieces of information, the scoutPRIME user can discern which indicators and IoCs should be used for network log correlation or deployment to a firewall vs. which indicators and IoCs should be used for incident response, vulnerability management/patching, or target/victim notification.
Q. How do I extract all indicators or elements associated with a specific threat?
A. To extract all indicators or elements from a collection, follow these steps:
Go to the collection you want to extract the elements from. The collection will open in the Collection Management section.
Then, click Actions on the right side of the screen.
From the drop-down menu, click Export Associations.
Associations will be downloaded to your system as a CSV file.
Q. I have an organization’s network footprint. How do I create a collection to monitor it?
A. You can create collections with network elements that you import from your workstation. Once the data is ingested, you can monitor the elements. In addition, scoutPRIME provides TIC scores for the collection and what you've added to it.
To add your own data to a collection, follow these steps:
1. Create a new collection by clicking the plus sign on the top left side of the Collections panel.
2. Give your collection a Name, Description, Assign users (optional), then click Add.
3. Next, near the top of the collection name, click Rules.
4. On the Rules page, click Actions, then select Import from the drop-down menu.
5. In the dialog box, click Select CSV to begin the importing process.
IMPORTANT: Your CSV file must have a header row with: element type ("Element Type") and the element name ("Element Name"). The items should be separated by commas.
Sample formatting:
Element Type, Element Name
asn,39981
cidrv4,10.1.0.0/24
fqdn,www.google.com
ipv4,172.16.254.1
6. After selecting the CSV file, the dialog box will display your data under the Element Type and Element Name columns. Click Save to finish importing.
Q. How do I integrate scoutPRIME to a SIEM, SOAR, TIP, ticketing system, firewall, IDS, or IPS?
A. Our support team can provide you with scripts you can utilize to integrate the scoutPRIME API with third-party platforms, such as Splunk, Sentinel, etc. For more information, send an email to: [email protected].
Q. How do I export data?
A. You can export elements or rules (e.g., DNS records, IP addresses, etc.) as well as associations (threats and vulnerabilities) whenever you see the option to Export on a page. See example below. When you choose to export data, it will typically be in CSV or PDF format.
For a workflow on how to export element details, click here.
Ask Us!
If you'd like to submit a question, send an email to: [email protected]. We'll get back to you as soon as possible.
|