Explained: The VMRay Threat Identifier (VTI) Scoring System
In the science fiction classic The Hitchhikers’ Guide to the Galaxy, a civilization far in the future builds the world’s largest supercomputer to answer the question “What is the meaning of life?” After thousands of years calculating, the computer issues its long-awaited answer, the number “42” with no explanation given.
It’s a farcical situation but it does pose an interesting question – what do all these numbers mean that are issued from the all-knowing black box? This situation happens sometimes when customers and prospects ask how our VMRay Threat Identifier (VTI) scoring system works to determine which programs are malicious and benign.
Simply stated, the VTI scoring system falls along a 0 to 100 range where the higher the score, the higher the maliciousness of the submitted sample. In general, a score equal to or higher than 75 means that the sample should be considered malicious.
|Suspicious||>= 25 and <75|
|Not Suspicious||< 25|
To calculate the total VTI score, the VMRay analysis engine observes each discrete behavior performed by a file and grades it on a five-point scale, ranging from 1/5, which can be construed as “not suspicious”, to 5/5 which is unambiguously malicious. In addition, static attributes like the reputation of the file based on the hash value and Yara rule matches are scored in the same manner.
The first thing to understand about the VTI scoring system is it is not cumulative or linear. Each step along this five-point gradation scale functions more like the Richter scale, with each increase in number an order of magnitude larger than the last. Phrased more succinctly, one 4/5 score outweighs three 2/5 scores, with the former being automatically flagged as malicious while the latter would be deemed merely suspicious.
Below is an analysis performed on an executable that was deemed ransomware by the VTI scoring engine after it scored three 5/5 warnings, including two that immediately flagged it as ransomware:
At the top of the page is the name of the file inspected alongside the VTI score and “ransomware” classification:
Below this label, we can see the three 5/5 scores(!) that triggered the ransomware designation. Note how these discrete malicious behaviors were performed multiple times in the “count” column:
Also observe how the operation “Encrypts content of user files” automatically triggers a 5/5 score and flags the program as ransomware. In so doing, VMRay is drawing on the knowledge gleaned from analyzing millions of code samples and found this behavior consistently performed by ransomware.
The code sample also was flagged for several low-level behaviors that were scored 1/5:
VMRay Analyzer provides these complete reports to give users a full play-by-play of all the actions the code sample performs. The underlying algorithm for calculating scores is complicated but a few simple rules can be disclosed:
- Several 1/5 scores cannot result in a suspicious verdict
- Several 2/5 scores can only cause, at most, a suspicious verdict
- 3/5 scores can result in a malicious verdict if they also contain additional 2/5 or 3/5 scores
- A single 4/5 or 5/5 rule always causes a malicious verdict.
Further, each specific VTI score is weighted according to the submitted sample type. A behavior such as creating a new process can be benign for certain filetypes (an EXE) but malicious for others (a Word document).
What actions are malicious and which benign?
To facilitate sharing across platforms which behaviors are potentially malicious in a standardized manner, the VTI scoring system is mapped to the MITRE ATT&CK® Framework, a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
When users scroll down the VMRay Analyzer Report, they are presented with a matrix of the attack techniques used by the analyzed sample with severity levels color-coded. In this example, the ransomware used these following methods
Further, users can click on any of the items listed in the matrix to read a more detailed explanation of the method. In the example below is a pop-up screen documenting the attack type “Data Encrypted for Impact”:
The VTI scoring system is a clear and intuitive report which can be integrated into other security products and an enterprise’s security ecosystem. Its clarity and simplicity are an advantage where some scoring systems are either incomprehensible or opaque.
This clarity is important when dealing with incident response because time is of the essence. The VTI scoring system accelerates the response cycle by providing clear answers to analysts and the full analysis helps SOC teams to reduce attacker dwell time and take prompt remediation steps to prevent future attacks. Request a 30-day trial today.