Judgment Entities

A Judgment is a judgment about the intent or nature of an observable. For example, it determines whether the observable is malicious, meaning, is it malware and does it subvert system operations? The observable could also be clean and be from a known benign or trusted source. It could also be common, something so widespread that it's not likely to be malicious.

Since a core goal of the CTIA is to provide a simple verdict service, these judgments are the basis for the returned verdicts. These are also the primary means by which users of the CTIA go from observables on their system, to the indicators and threat intelligence data in CTIA.

Judgment Field Summary

Judgment entities are distinct from many others in that they do not inherit from describable, but from described. This means that Judgment entities are required to have source and source_uri fields..

Judgments do not inherit describable, so they do not have titles, long descriptions, or short descriptions.

Required Judgment Fields

  • observable - Each judgment must have one observable.
  • disposition - A disposition number, drawn from the mapping below.
  • disposition_name - A disposition name, drawn from the mapping below.
  • priority - An integer value 0-100 that determines the priority of a judgment. Curated feeds of black/white lists, for example known good products within your organizations, should use a 95. All automated systems should use a priority of 90, or less. Human judgments should have a priority of 100, so that humans can always override machines.
  • confidence - Must be one of ["Info", "Low", "Medium", "High", "None", "Unknown"].
  • severity - Must be one of ["Info", "Low", "Medium", "High", "None", "Unknown"].
  • valid_time - Must include a :start_time datetime string, and may include an optional end_time, which must not be later than "2525-01-01:00:00:00.000Z". Judgment valid times should be appropriate for the volatility of the observable. For example, domains and IP addresses can change hands very quickly and cease being malicious, so a valid_time of 30 days is probably warranted for them. However, sha256 hashes for a malicious executable are going to be malicious forever, so we would set the end_time to "2525-01-01:00:00:00.000Z".

Optional Judgment Fields

  • reason - A short string explaining the reason for issuing the judgment, or to provide additional context.
  • reason_uri - URI to the referenced reason.

Dispositions

Judgments allow us to apply a disposition to an observable, and to provide metadata about how certain we are with that assessment. Valid disposition numbers and names are defined in the CTIM schema, but are summarized here:

Disposition Number Disposition Name
1 Clean
2 Malicious
3 Suspicious
4 Common
5 Unknown

Verdicts vs. Judgments

One of the services that CTIA provides is the ability to compare multiple judgments for a given observable and very quickly render a verdict based on them.

The rules for exactly how this is performed are a bit complex, but here are some basics to know:

  1. Invalid judgments are not considered.
  2. More recent judgments matter more.
  3. The priority order for dispositions is Clean > Malicious > Suspicious > Unknown, so a false positive can always be overruled by explicitly creating a judgment with a Clean disposition.

A verdict indicates the most recent and most relevant disposition for a given cyber observable, as well as the judgment from which the verdict was derived.

Example Judgment

{
    "type":"judgement",
    "source":"Modeling Threat Intelligence in CTIM Tutorial",
    "source_uri":"https://github.com/threatgrid/ctim/blob/master/src/doc/tutorials/modeling-threat-intel-ctim.md",
    "valid_time":{
        "start_time":"2019-03-01T19:22:45.531Z",
        "end_time":"2019-03-31T19:22:45.531Z"
    },
    "observable":{
        "type":"ip",
        "value":"187.75.16.75"
    },
    "external_ids":[
        "ctim-tutorial-judgement-4340e8cc49ff428e21ad1467de4b40246eb0e3b8da96caa2f71f9fe54123d498"
    ],
    "disposition":2,
    "disposition_name":"Malicious",
    "priority":95,
    "id":"transient:ctim-tutorial-judgement-4340e8cc49ff428e21ad1467de4b40246eb0e3b8da96caa2f71f9fe54123d498",
    "severity":"High",
    "tlp":"green",
    "timestamp":"2019-03-01T19:22:45.531Z",
    "confidence":"High"
}