Host Severity

In Deep Discovery Inspector, host severity is the impact on a host as determined from aggregated detections by Trend Micro products and services.

Investigating beyond event security, the host severity numerical scale exposes the most vulnerable hosts and allows you to prioritize and quickly respond.

Host severity is based on the aggregation and correlation of the severity of the events that affect a host. If several events affect a host and have no detected connection, the host severity will be based on the highest event severity of those events. However, if the events have a detected correlation, the host severity level will increase accordingly.

For example: Of five events affecting a host, the highest risk level is moderate. If the events have no correlation, the host severity level will be based on the moderate risk level of that event. However, if the events are correlated, then the host severity level will increase based on the detected correlation.

The host severity scale consolidates threat information from multiple detection technologies and simplifies the interpretation of overall severity. You can prioritize your responses based on this information and your related threat response policies.

Table 1. Host Severity Scale

Category

Level

Description

Critical

Host exhibits behavior that definitely indicates host is compromised

10

Host shows evidence of compromise including but not limited to the following:

  • Data exfiltration

  • Multiple compromised hosts/servers

9

Host exhibits an indication of compromise from APTs including but not limited to the following:

  • Connection to an IP address associated with a known APT

  • Access to a URL associated with a known APT

  • A downloaded file associated with a known APT

  • Evidence of lateral movement

8

Host may exhibit the following:

  • A high severity network event

  • Connection to a C&C Server detected by Web Reputation Services

  • A downloaded file rated as high risk by Virtual Analyzer

Major

Host is targeted by a known malicious behavior or attack and exhibits behavior that likely indicates host is compromised

7

Host may exhibit the following:

  • Inbound malware downloads; no evidence of user infection

  • An inbound Exploit detection

6

Host may exhibit the following:

  • Connection to a dangerous site detected by Web Reputation Services

5

Host may exhibit the following:

  • A downloaded medium- or low-risk potentially malicious file with no evidence of user infection

4

Host may exhibit the following:

  • A medium severity network event

  • A downloaded file rated as medium risk by Virtual Analyzer

Minor

Host exhibits anomalous or suspicious behavior that may be benign or indicate a threat

3

Host may exhibit the following:

  • Repeated unsuccessful logon attempts or abnormal patterns of usage

  • A downloaded or propagated packed executable or suspicious file

  • Evidence of running IRC, TOR, or outbound tunneling software

2

Host may exhibit the following:

  • A low severity network event

  • Evidence of receiving an email message that contains a dangerous URL

  • A downloaded file rated as low risk by Virtual Analyzer

Trivial

Host exhibits normal behavior that may be benign or indicate a threat in future identification of malicious activities

1

Host may exhibit the following:

  • An informational severity network event

  • Connection to a site rated as untested or to a new domain detected by Web Reputation Services

  • Evidence of a running disruptive application such as P2P