This article provides information about the Cato User Risk Level, how it is calculated, and how you can implement it to improve your security posture.
Note
Note: Please contact cato-releases@catonetworks.com for more information about enabling and using this feature.
As part of Cato’s approach to universal ZTNA and continuous assessment and verification, Cato designates a dynamic User Risk Level for each of the users in your organization to determine the risk that they pose.
The User Risk Level helps you improve your security posture and adaptive access capabilities. The User Risk Level is based on various indicators from the user to establish a baseline level. You can create rules in your various policies to determine access to resources based on this level. For example, create a rule that blocks traffic to sensitive company resources from users with a Risk Level of High or above.
You can view the Risk Level for all users in your organization, whether they have an SDP license or not. This gives you an indication of the overall security posture. In addition, you can see all security events that are connected to a specific user and determine their risk level.
ABC Company works with SaaS applications and, following security best practices wants to make sure that only the necessary people can access these applications. In addition, they want to make sure that nobody in the authorized group with a risk level of High or greater can access these applications.
The company creates a rule in their Internet firewall to block any traffic to their SaaS applications.
When John Doe is unable to access the Saas application, he contacts the IT department who see that his risk level is High. However, after reviewing the events that determined the level, the IT department decide he doesn't pose a risk, and reset the level so he is able to access the applications he needs.
ABC Company has a database server that needs to be accessed from its various offices. They want to ensure that it is accessible to the developers but also need to ensure that it is secure as it provides access to sensitive and proprietary data.
The company creates a rule in the WAN firewall to only allow access to authorized users whose Risk Level is lower than High.
Every user activity is monitored and logged, leveraging the Cato shared context, and users are dynamically assigned a Risk Level based on a proprietary algorithm that considers a range of different data points. The Risk Level can then be used in the Internet and WAN policies to only allow access to users who present the lowest risks. Cato collects the following attributes:
|
Item |
Attribute |
Examples |
|---|---|---|
|
1 |
Trojan Activity |
Dridex, Peacomm, PeacommBanking |
|
2 |
Banking Malware |
Bancos, Banload, Banker |
|
3 |
Information Stealers |
Zeus/Zbot, Agent, Symmi |
|
4 |
Backdoor Activity |
Various signatures mapped to MITRE ATT&CK techniques |
|
5 |
Botnet Traffic |
Mirai, various C2 signatures |
|
6 |
DNS Tunneling |
NULL-Based DNS Tunneling, TXT-Based DNS Tunneling,DNS Tunnel Setup via DNS2TCP, Feed-Based DNS Tunneling |
|
7 |
Beaconing Activity |
Regular Command & Control check-ins |
|
8 |
Multiple Domain Communications |
SSH attempts, Data Upload, HTTP connections |
|
9 |
Ransomware Communications |
Lockbit, BlackCat, Avos, Quantum |
|
10 |
Encryption Behavior |
File system encryption activity |
|
11 |
Ransom Note Delivery |
Ransom note placement or delivery |
|
12 |
Mining Pool Communications |
CryptInject, Cryptomineext, Groupfabric Bitcoinminer |
|
13 |
Resource Utilization |
Abnormal system usage for mining |
|
14 |
Data Transfer to Suspicious Destinations |
System Information Exfiltration, RaiDrive Exfiltration |
|
15 |
Credential Theft |
Fin4, Soaksoakredirect, Novaloader |
|
16 |
Large Data Transfers |
Data exfiltration to Mega, Fewin stealer - data exfiltration attempts, ICMP covert channel carrying HTTP data |
|
17 |
CVE Exploitation |
CVE-2018-0101, CVE-2017-0199, CVE-2021-44228 (Log4Shell) |
|
18 |
Zero-day Exploitation |
Signatures for emerging threats |
|
19 |
Command Injection |
SolarView |
|
20 |
Directory Traversal |
TIBCO,Directory traversal in HTTP headers |
|
21 |
File Upload Attempts |
CVE-2021-3378, CVE-2021-22005, CVE-2021-36440 |
|
22 |
SQL Injection |
CVE-2020-35848, CVE-2024-43468, CVE-2020-22425 |
|
23 |
Cross-site Scripting and CSRF |
Generic XSS, Cross-site scripting injection, CVE-2022-41622 |
|
24 |
Obfuscated Phishing |
Domain masking, URL shorteners |
|
25 |
Credential Phishing |
Insertion of sensitive data into phishing pages |
|
26 |
Brand Impersonation |
DHL-related phishing, Cyber-squatting PoP service |
|
27 |
Automated Scanning Tools |
Nikto, Nessus, OpenVAS |
|
28 |
Targeted Vulnerability Probes |
CVE-focused scans |
|
29 |
Network Enumeration |
Port scanning and network discovery |
|
30 |
Known Bad IP/Domain Communication |
Low-reputation domain access, TOR/proxy |
|
31 |
User Email |
|
|
32 |
User Group |
|
|
33 |
User Confidence Level |
|
|
34 |
Platform |
|
|
35 |
Country |
|
|
36 |
Connection Origin |
|
User Risk Level is a vital tool for network and security teams, enabling zero-trust dynamic access control policies to protect both internal application traffic and internet traffic. It offers valuable insights into your risk posture, letting you to adjust your security strategies dynamically in response to evolving threats.
You can create risk-based policies in your Internet and WAN firewalls to block access to your applications.
To define a risk-based rule in your firewalls:
-
When configuring your Internet or WAN firewall policies, add the User or User Groups to which the rule applies.
-
In the Criteria section of the rule, under User Attributes, click Add Attribute.
-
Enter the Risk Level criteria to match the rule against.
-
Define the Action to take when the rule is matched and click Save.
The Access > Users page provides visibility into all of the users in your system, and their risk levels.
You can filter the information on the page based on the Risk Level so you can easily find the ones that potentially pose the greatest threat to the organization. Risk Level values are:
-
Critical
-
High
-
Medium
-
Low
From this page, you can perform specific actions based on the Risk Level, such as revoking a user session or resetting the Risk Level.
Investigating and Monitoring a Specific User
To gain a better understanding of what determines the Risk Level for a user, you can click the Monitoring icon, which will take you to the User Monitoring pages, where you can view Security Events for the user. The Risk Level is grouped into the following categories to simplify the investigation:
- IPS
- Anti-malware
- Suspicious activity
- Firewall
Filter the contents of the Events page using the following criteria:
-
Event Type: Security
-
Sub Type: Anti Malware, NG Anti Malware, SAM, IPS, User Risk Event
Once you have this additional input, you can make a better decision about how to proceed with the user and what actions, if any, you need to take.
0 comments
Please sign in to leave a comment.