Alerts in Orca are graded according to the risk level they pose to the organization. There are four levels of risk, highlighted below from highest (Compromised) to lowest (Informational):
Compromise [score 1]
Alerts for malicious code or activity present on the asset.
Imminent Compromise [score 2]
Alerts where assets are at a high risk of being compromised based on our findings and a potentially viable external attack vector.
Hazardous [score 3]
Alerts where the asset is at high risk, however, there is no known exploit or the asset cannot be reached externally.
Informational [score 4]
Alerts with no clear attack vector and pose minimal risk to the organization, thus are deemed informational.
Alert Scoring can be upgraded or downgraded by considering multiple factors. Some examples are:
- Whether the asset is Internet-facing or not (orca builds a context map to understand the topology, even if the asset is behind a proxy, load balancer, etc.).
- Vulnerability correlation to Network services.
- The publication date of CVE.
- Fix availability per package/CVE by the vendor.
- IOC - Indicator of Compromise (authentication logs, etc..).
- Exploit availability per CVE.
- CVSS Score baseline.
- Potential damage like remote code execution or denial of service.
- Trending/High-Profile CVE (security blogs, threat intelligence, Twitter chatter, etc…).
- Risky configuration (both the cloud control plane and workload risky configuration).
- Asset state (running /shut down).