Key Concepts

Learn about Events, Threat Cards, Clusters and Criticality

These are some of the basic concepts in Liberty91. Use this as a quick reference to learn the basics of the platform.

Events

'Events' are the 'things that happen': new articles, blog posts, X-posts (tweets), et cetera. They are read, analyzed, catalogued and presented on any of your dashboards. If they are critical enough, you'll get an instant alert.

This particular event will automatically be catalogued under my 'Turla' Threat Actor Threat Card. Turla is part of our 'Threats from Russia' Threat Cluster, so it will also be catalogued there.

If you want to add or remove linked Threat Cards from an Event, use the drop down menu's in the Threat Library Links section. If you don't see any threat cards to add, create some first in the Threat Library.

The Threat Card shows the full content and a tailored analysis on the right. If there is no analysis provided yet, you can generate one with a click of a button. If you, for some reason, don't like the analysis, you can ask for a redo of the analysis.

Liberty91 also provides 'suggested threat cards'. These are Threat Cards you don't have yet, but based on the text in this post, you might want to consider creating one. If that's the case, you can just click on the suggestion, and the card will be automatically created for you.

Threat Cards

Every Threat Actor, Malware and Vulnerability you find in your Threat Library, is a 'Threat Card'. Think of it as a 'book' in a normal library. All the relevant reporting will automatically be catalogued under the relevant threat cards.

A Threat Card has a title and a description. It also has a criticality rating (medium in this case), origin, whether this is a top threat, any aliases, relationships to other entities in your threat library, and automatically catalogued events.

Any new events that contain either the name or any of the aliases in the title or the body of the event, will automatically be catalogued under this threat card.

The description of the Threat Card is AI-generated and based on your organization, and historic and recent reporting. If, for example, this description was generated last week, and over the last few days a lot of new reporting has come out on your threat, then you can simply press update description, and a new, up-to-date analysis will be generated, replacing the old one. Because this analysis is based on real-world reports, there is hardly any 'hallucination' happening.

Criticality

Criticality is important because:

You will receive instant alerts for everything rated at or above your criticality threshold
Threats and events are ordered by criticality on the criticality dashboard
It helps your instance of our Liberty91 AI-stack understand what is important to you

You can set criticality:

when you import a new set of company clusters
In your individual asset cluster card or threat cards

You can change your alerting threshold in your User Profile.

Liberty91 uses the CISA National Cyber Incident Scoring System (NCISS) to rate the severity of any threat event. The NCISS is originally designed by CISA to rate incidents, but the same methodology can conveniently be applied to threat events.

The CISA National Cyber Incident Scoring System has six levels of criticality, including a baseline level and the highest level being "Severe". The levels of criticality are:

Baseline: Used for informational purposes only (white and blue on the graph below)

Level 1: Low

Level 2: Medium

Level 3: High

Level 4: Critical

Level 5: Severe

As illustrated in the graph, It is expected that there will be a lot less ‘high’ or ‘severe’-rated events than ‘baseline’ or ‘low’-rated ones.

Liberty91 rates every event at a ‘baseline’ criticality by default. Only if an entity from the threat library with a higher rating is associated with the event, then Liberty91 will assign that rating. For example: a news event that mentions a threat actor from the threat library with a criticality rating of ‘high’. That means the event itself will also be rated as ‘high’ criticality. If there is more than one entity associated with the ticket, then the highest criticality rating will be applied to the event.

The criticality rating gives both you, your instance of Liberty91's AI-stack and the Criticality Dashboard immediate insights into what matters to you at any given time. This is why it is so important to set appropriate criticality levels when you create and maintain your threat library. It is wise to set any entity you create at least at the ‘low’-criticality level or higher, to make a distinction with generic baseline events.

It is important to take appropriate actions based on the criticality rating assigned to the event to mitigate any risks.

For events with a Baseline criticality rating, they are considered low impact informational events and may not require immediate action. It is recommended that you simply review and monitor these events.

For events with a Level 1 (low) criticality rating, they are considered low impact events that may require some action, but not necessarily an immediate response. It is recommended that you monitor and address these events in a timely manner.

For events with a Level 2 (medium) criticality rating, they are considered medium impact events that require investigation and action to mitigate the potential risk.

For events with a Level 3 (high) criticality rating, they are considered high impact events that require immediate attention and action to mitigate the potential risk. It is recommended that you prioritize these events.

For events with a Level 4 (critical) criticality rating, they are considered critical events that require immediate attention and action to mitigate the potential risk. It is recommended that you prioritize these events and escalate them to appropriate teams if necessary.

For events with a Level 5 (severe) criticality rating, they are considered severe events that require immediate attention and action to mitigate the potential risk. It is recommended that you prioritize these events and involve your incident response team and other necessary stakeholders to address them.

Alerts

Liberty91 has two types of events: Instant Alerts and Morning Reports. You can configure and tune them both in your User Profile.

A new event is generated, and it mentions Threat Actor 'Turla'. We care about Turla, so we have rated it 'High'. This means that the new event will also be rated at least High. Our Alerting Threshold is set to 'Medium', which is lower, so Liberty91 will analyze the event for us and send an immediate alert.

Instant Alerts happen when a new event is generated with a criticality at or above your criticality threshold. Events adopt the criticality rating of the highest-rated threat or company asset linked to the event. For example: If Turla (rated High) is reported to target Wordpress (rated Low), the event will be rated High. If your reporting threshold is set to High (default) or lower, you will get an immediate alert.

By default your threshold is set to High, new events will be rated Baseline, and any Threat or Company Card you create will be Medium. If you don't tweak your Threshold, you will not receive instant alerts.

Threat Clusters

Threat Clusters are 'buckets' of threat cards and keywords. For example, a Threat Cluster called 'Threats from Russia' might contain all known Threat Actors from the region, plus the malware they use, as well as some relevant keywords. If you think of every Threat Card as a book in a library, then Threat Clusters would be a Genre. Threat Cards can be in none, one or multiple threat clusters.

Threat Cluster Cards will contain all the events linked to the individual Threat Cards in that Cluster, so all of those will be considered when a new description is generated.

Company Clusters

Company Clusters work in exactly the same way as Threat Clusters, but they are about what your company, rather than the threat landscape.

If you think of Threat Cards as 'The Threat From' (from Russia, from Ransomware, from DDOS, for example), then Company Cards are 'Threats To' (to your sector, region, to your attack surface, et cetera).

In the sidebar, under Company Clusters, you will find:

Add New Clusters

This will let you add new clusters in bulk

Featured Clusters

These are clusters sometimes created by us, which we think you might find useful. If there is another critical vulnerability in Ivanti, for example, or a new conflict breaking out with a cyber-component, we might create one for you to simply copy-paste. We'll let you know if there are new featured clusters available.

Your Company Name

This is where your company-specific clusters are located. The first one covers your brand, region and sector. Those clusters are there to capture and cluster any threats specific to your brand, your sector or region.

The other links go to your asset clusters, your attack-surface clusters, supply-chain clusters and people and data-clusters. When you create a new cluster for, say, Microsoft Exchange, you can tell Liberty91 this is any of those categories. They can then be found under those menu-items. The categorization helps the AI determine what you are protecting, and so how much you should care about new events, as and when they occur.

Don't think this through too much. If you're not sure if something is a supplier or part of your attack-surface, then just choose one. If it is unclear, then both categories are good options.

PreviousMeet the team NextGet in touch

Last updated 12 months ago