ThreatAssess and CAL

Last Updated: Aug 22, 2019 01:08PM EDT
User

Overview

ThreatAssess and the ThreatConnect® Collective Analytics Layer (CAL) provide metrics that give users context and insights about their Indicators. Located on the Indicator Analytics card of the Details window and the Details screen for an Indicator, they serve different, but complementary, functions. ThreatAssess provides a single score for an Indicator that is derived from data for the Indicator across all sources in a local ThreatConnect instance. CAL provides anonymized, crowdsourced intelligence derived from global data for the Indicator across all participating instances of the ThreatConnect platform. ThreatAssess and CAL scores can be examined together to analyze how the understanding of a local instance compares with the collective understanding.

ThreatAssess

ThreatAssess gives a basic risk assessment of an Indicator through a single, actionable score. The score represents the overall potential impact that an Indicator might have to a security organization. It also provides a breakdown of those factors that went into the calculation of that score, all of which come from data from within the user’s ThreatConnect instance.

Viewing ThreatAssess Data for an Indicator

  1. On the top navigation bar (Figure 1), hover the cursor over Browse and then over the Indicators option. Click on an object (Host in this example) to display a results table (Figure 2).
  2. Click on one of the entries, and the Details drawer for that entry will be displayed (Figure 3).
  3. A summary version of the ThreatAssess score is provided above the Threat Rating and Confidence Rating section. To view more information, click the Details icon at the top right corner of the drawer, and the Overview tab of the Details screen will be displayed (Figure 4). Alternatively, hover over the object's entry in the table in Figure 2 and click on the Details icon that appears on the right side of its Summary cell to go straight to the Overview tab of the Details screen.
  4. The ThreatAssess score and related data are provided at the top of the Indicator Analytics card. Hovering the cursor over each item provides a definition of the item (Figure 5).
    • Recent False Positive Reported: Indicators that were reported as false positives represent a lower risk to your security organization. Indicators that were reported as false positives will have a lower ThreatAssess score. A checkmark indicates that the Indicator was recently reported as a false positive, where the amount of time that qualifies as “recently” is defined by the System Administrator. The default time period is 7 days.
    • Impacted by Recent Observation: Indicators that were observed in an actual network potentially represent a greater risk to your security organization. A high number of recent observations may raise or lower the ThreatAssess score, depending on the nature of the Indicator. A checkmark indicates that the Indicator was impacted by recent observation, where the amount of time that qualifies as “recent” is defined by the System Administrator. The default time period is 7 days.
    • ThreatAssess Score: The ThreatAssess score (296 in Figure 5) is out of a maximum value of 1000. It is calculated based on the aforementioned metrics, as well as Threat Rating [based on the weighted-average Threat Rating (“evilness”) of the Indicator across multiple owners in your instance of ThreatConnect] and Confidence Rating (based on the weighted-average Confidence Rating of the Indicator across multiple owners in ThreatConnect). Indicators with higher ThreatAssess scores represent an overall higher risk to your security organization.
    • Assessment: The Assessment (“Medium” in Figure 5) represents a brief summary of how threatening a given Indicator is to your security organization. There are four possible Assessments (e.g., Low, Medium, High, Critical). Consult your System Administrator for the definitions and thresholds of the Assessments used in your instance of ThreatConnect. System Administrators may customize the definitions and thresholds of the Assessments for their ThreatConnect instance.
  5. For newly created Indicators, ThreatAssess may not yield any results at first, as data have not yet been populated (Figure 6).

CAL

CAL aggregates anonymized data about an Indicator from all participating instances of ThreatConnect and other sources, giving users context about how the information they have on an Indicator compares with the information that the wider ThreatConnect community has on the Indicator.

Viewing CAL Data for an Indicator

  1. On the top navigation bar (Figure 1), hover the cursor over Browse and then over the Indicators option. Click on an object (Host in this example) to display a results table (Figure 2).
  2. Click on one of the entries, and the Details drawer for that entry will be displayed (Figure 2). CAL data are provided at the bottom of the Details drawer. Scroll down to view them if necessary (Figure 7).
  3. CAL data may also be accessed by clicking the Details icon at the top right corner of the drawer and viewing the Indicator Analytics section of the Overview tab of the Details screen (Figure 4). Alternatively, hover over the object's entry in the table in Figure 2 and click on the Details icon that appears on the right side of its Summary cell to go straight to the Overview tab of the Details screen.
  4. Figure 8 shows the Indicator Analytics section of the Overview tab expanded to show all of the CAL data for the Indicator. It also demonstrates how hovering the cursor over an item causes a tooltip with the definition of the item to appear.
  5. For newly created Indicators, CAL may not yield any results at first, as data have not yet been populated (Figure 6). If there is no CAL section on the Details drawer or the Overview tab of the Details screen for an Indicator, then the System Administrator may have disabled use of CAL for the instance.
  6. CAL may also display a Classification section for some Indicators (Figure 9). CAL Classifiers are pre-defined categorizations derived from CAL’s classification analytics. Examples of CAL Classifiers include, but are not limited to, TorExitNode, Trending.Observations, HostedInfrastructure.AWS, and TLD.Risky.

Table 1 lists some examples of CAL fields and sample data for each. Only fields for which data exist will show up in the CAL results for a given Indicator.

Table 1

 
CAL Field Sample Data
Activity: False Positives (All Time) 11
Activity: False Positives (Last Reported) 12/19/18 10:57:04
Activity: False Positives (Previous 7 Days) 3
Activity: False Positives (Today) 1
Activity: Observations (All Time) 42
Activity: Observations (Last Observed) 12/19/18 10:57:04
Activity: Observations (Previous 7 Days) 21
Activity: Observations (Today) 3
Activity: Impressions (All Time) 22
Activity: Impressions (Previous 7 Days) 5
Activity: Impressions (Today) 2
Feeds: Feeds Reporting this Indicator tor_exit_node
Feeds: First Reported in a Feed 12/19/18 10:57:04
Feeds: Last Reported in a Feed 12/19/18 10:57:04
Feeds: Number of Feeds Reporting this Indicator 2
Known Good: Feeds Reporting this Indicator as Benign google_safebrowsing
Known Good: Reported in a Known Good Source TRUE


CAL is a trademark of ThreatConnect, Inc.

20053-07 EN Rev. A

Contact Us

  • ThreatConnect, Inc.
    3865 Wilson Blvd.
    Suite 550
    Arlington, VA 22203

    Toll Free:   1.800.965.2708
    Local: +1.703.229.4240
    Fax +1.703.229.4489

    Email Us



https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete