ThreatAssess and CAL

Last Updated: Nov 15, 2018 05:20PM EST
User

Overview

ThreatAssess and the ThreatConnect® Collective Analytics Layer (CAL) provide metrics that give users context and insights about their Indicators. Located on the Indicator Analytics card of the Details window and Details screen for an Indicator, they serve different, but complementary, functions. ThreatAssess provides a single score for an Indicator that is derived from data for the Indicator across all sources in a local ThreatConnect instance. CAL provides anonymized, crowdsourced intelligence derived from global data for the Indicator across all participating instances of the ThreatConnect platform. ThreatAssess and CAL scores can be examined together to analyze how the understanding of a local instance compares with the collective understanding.

ThreatAssess

ThreatAssess gives a basic risk assessment of an Indicator through a single, actionable score. The score represents the overall potential impact that an Indicator might have to a security organization. It also provides a breakdown of those factors that went into the calculation of that score, all of which come from data from within the user’s ThreatConnect instance.

Steps

  1. On the top navigation bar (Figure 1), hover the cursor over BROWSE and then over the INDICATORS option. Click on an object (HOST in this example) to display a results table (Figure 2).
  2. Click on one of the entries, and the Details flyout for that entry will appear (Figure 3).
  3. A summary version of the ThreatAssess score is provided above the Threat Rating and Confidence Rating section. To view more information, click the Details icon at the top right corner of the flyout, and the Overview tab of the Details screen will appear (Figure 4). Alternatively, hover over the object's entry in the table in Figure 2 and click on the Details icon that appears on the right side of its Summary cell to go straight to the Overview tab of the Details screen.
  4. The ThreatAssess score and related data are provided at the top of the Indicator Analytics card. Hovering the cursor over each item provides a definition of the item (Figure 5).
    • Recent False Positive Reported: Indicators that were reported as false positives represent a lower risk to your security organization. Indicators that were reported as false positives will have a lower ThreatAssess score. A checkmark indicates that the Indicator was recently reported as a false positive, where the amount of time that qualifies as “recently” is defined by the System Administrator. The default time period is 7 days.
    • Impacted by Recent Observation: Indicators that were observed in an actual network potentially represent a greater risk to your security organization. A high number of recent observations may raise or lower the ThreatAssess score, depending on the nature of the Indicator. A checkmark indicates that the Indicator was impacted by recent observation, where the amount of time that qualifies as “recent” is defined by the System Administrator. The default time period is 7 days.
    • ThreatAssess Score: The ThreatAssess score (232 in Figure 5) is out of a maximum value of 1000. It is calculated based on the aforementioned metrics, as well as Threat Rating [based on the weighted-average Threat Rating (“evilness”) of the Indicator across multiple sources in your instance of ThreatConnect] and Confidence Rating (based on the weighted-average Confidence Rating of the Indicator across multiple sources in ThreatConnect). Indicators with higher ThreatAssess scores represent an overall higher risk to your security organization.
    • Assessment: The Assessment (“Medium” in Figure 5) represents a brief summary of how threatening a given Indicator is to your security organization. There are four possible Assessments (e.g., Low, Medium, High, Critical). Consult your System Administrator for the definitions and thresholds of the Assessments used in your instance of ThreatConnect. System Administrators may customize the definitions and thresholds of the Assessments for their ThreatConnect instance.
  5. For newly created Indicators, ThreatAssess may not yield any results at first, as data have not yet been populated (Figure 6).

CAL

CAL aggregates anonymized data about an Indicator from all participating instances of ThreatConnect and other sources, giving users context about how the information they have on an Indicator compares with the information that the wider ThreatConnect community has on the Indicator.

Steps

  1. On the top navigation bar (Figure 1), hover the cursor over BROWSE and then over the INDICATORS option. Click on an object (HOST in this example) to display a results table (Figure 2).
  2. Click on one of the entries, and the Details flyout for that entry will appear (Figure 7).
  3. CAL data are provided at the bottom of the Details flyout. Scroll down to view them if necessary. The same data may be accessed by clicking the Details icon at the top right corner of the flyout and viewing the Indicator Analytics section of the Overview tab of the Details screen (Figure 8). Alternatively, hover over the object's entry in the table in Figure 2 and click on the Details icon that appears on the right side of its Summary cell to go straight to the Overview tab of the Details screen.
  4. Figure 9 shows the Indicator Analytics section of the Overview tab expanded to show all of the CAL data for the Indicator. It also demonstrates how hovering the cursor over an item causes a tooltip with the definition of the item to pop up.
  5. For newly created Indicators, CAL may not yield any results at first, as data have not yet been populated (Figure 6). If there is no CAL section on the Details flyout or the Overview tab of the Details screen for an Indicator, then the System Administrator may have disabled use of CAL for the instance.
  6. CAL may also display a Classification section for some Indicators (Figure 10). CAL Classifiers are pre-defined categorizations derived from CAL’s classification analytics. Examples of CAL Classifiers include, but are not limited to, TorExitNode, Trending.Observations, HostedInfrastructure.AWS, and TLD.Risky.
  7. Table 1 lists some examples of CAL fields and sample data for each. Only fields for which data exist will show up in the CAL results for a given Indicator.

Table 1

 
CAL Field Sample Data
Activity: False Positives (All Time) 11
Activity: False Positives (Last Reported) 12/19/16 10:57:04
Activity: False Positives (Previous 7 Days) 3
Activity: False Positives (Today) 1
Activity: Observations (All Time) 42
Activity: Observations (Last Observed) 12/19/16 10:57:04
Activity: Observations (Previous 7 Days) 21
Activity: Observations (Today) 3
Activity: Impressions (All Time) 22
Activity: Impressions (Previous 7 Days) 5
Activity: Impressions (Today) 2
Feeds: Feeds Reporting this Indicator tor_exit_node
Feeds: First Reported in a Feed 12/19/16 10:57:04
Feeds: Last Reported in a Feed 12/19/16 10:57:04
Feeds: Number of Feeds Reporting this Indicator 2
Known Good: Feeds Reporting this Indicator as Benign google_safebrowsing
Known Good: Reported in a Known Good Source TRUE


CAL is a trademark of ThreatConnect, Inc.

20053-06 EN Rev. B

Contact Us

  • ThreatConnect, Inc.
    3865 Wilson Blvd.
    Suite 550
    Arlington, VA 22203

    Toll Free:   1.800.965.2708
    Local: +1.703.229.4240
    Fax +1.703.229.4489

    Email Us



https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete