AI Exploited-Vulnerability Analyzer

Overview

The AI Exploited-Vulnerability Analyzer helps you prioritize time-sensitive reports on zero-day and exploited vulnerabilities in the CAL™ Automated Threat Library (ATL) Source in ThreatConnect® by identifying and labeling Report Groups on these topics with the Topic: Zero Day and Topic: Vulnerability Tags and providing a more specific and vulnerability-focused artificial intelligence (AI) summary for the Reports. In addition, the AI Exploited-Vulnerability Analyzer powers zero-day-specific keyword recognition in Intelligence Requirements (IRs), providing additional zero-day-related keyword suggestions and returning CAL ATL Reports with the Topic: Zero Day Tag as global results.

Intelligence teams often face challenges in efficiently identifying exploited vulnerabilities, leading to knowledge gaps and delayed responses to critical vulnerabilities. In particular, zero-day vulnerabilities are highly exploited and represent a significant threat vector requiring timely detection and action. Unfortunately, identifying information about vulnerabilities is more complex than simple word matching, because non-relevant slang, advertisements, and other references create “noise” that can be overwhelming, distract from pertinent information, and delay identification and response times. Being able to quickly identify and understand content on zero-day and other exploited vulnerabilities can critically influence an organization’s ability to build and deploy defensive strategies in a timely manner. 

The AI Exploited-Vulnerability Analyzer, powered by the CAL Doc Analysis Service, helps you weed out the “noise” to focus on the most current and high-impact threats posted by zero-day and exploited vulnerabilities.

Before You Start

User Roles

• To view details, including Tags and AI summaries, for Reports in the CAL Automated Threat Library Source, your user account can have any Organization role.
• To add keywords to an IR, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.
• To view IR results, your user account can have any Organization role.

Prerequisites

• Activate the CAL Automated Threat Library feed if it is not already activated (must be a System Administrator to perform this action).
• Verify your ThreatConnect instance can receive data from cal.threatconnect.com (if using an On Premises instance).

Zero-Day and Vulnerability Tags for CAL ATL Reports

The AI Exploited-Vulnerability Analyzer examines Description Attributes of Report Groups in the CAL Automated Threat Library Source for specific words and phrases to determine whether the content is likely about a zero-day vulnerability, an exploited vulnerability in general, or neither. For content related to exploited vulnerabilities, it adds one of the following Tags to the Report Group:

• Topic: Zero Day - An AI classification Tag in ThreatConnect that identifies Report Groups in the CAL Automated Threat LibrarySource whose Description Attribute contains content that is highly likely to be about a high-impact zero-day vulnerability (Figure 1).
  Note

  Only Reports about zero-day vulnerabilities that are likely to pose a threat are labeled with the Topic: Zero Day Tag. General, educational, or policy-focused content on zero-day vulnerabilities will not be tagged.
  Note

  The Topic: Zero Day Tag is different from the legacy Blog: Zero Day Initiative Tag used previously for CAL ATL Reports.
• Topic: Vulnerability - An AI classification Tag in ThreatConnect that identifies Report Groups in the CAL Automated Threat Library Source whose Description Attribute contains content that is highly likely to be about a high-impact exploited vulnerability (Figure 2).

Identification of Zero-Day and Vulnerability Tags

CAL ATL Reports with the Topic: Zero Day or Topic: Vulnerability Tag tend to have one or more the following qualities:

• The report content focuses on details of an exploited vulnerability and how the vulnerability was discovered.
• The report content provides information related to the Common Vulnerabilities and Exposures (CVEs), such as identifiers and other vulnerability-specific content.
  Note

  Very new zero-day vulnerabilities may not yet have a CVE number.
• The report content does not provide mitigations for the vulnerability, suggesting that the vulnerability is new.

The following factors tend to reduce the likelihood that a CAL ATL Report has the Topic: Zero Day or Topic: Vulnerability Tag:

• The report content discusses mitigations for a vulnerability.
• The report content is an advertisement that uses to the expression “zero day” (e.g., the Zero Day movie on Netflix®).
• The report content focuses on general information about exploited vulnerabilities, such as academic resources or hackathons.
• The report content specifically focuses on threat actors’ use of an exploited vulnerability.
• The report content focuses on an organization’s discovery of an exploited vulnerability in its environment.
• The report content describes the implications of a particular vulnerability being exploited.

Vulnerability-Focused AI Summaries

The AI Exploited Vulnerability Analyzer powers AI summaries for CAL ATL Reports with the Topic: Zero Day or Topic: Vulnerability Tag to provide more contextually relevant and vulnerability-specific information from the text of the Report’s Description Attribute, covering the following topics to the extent that they are covered by the content in the Description:

• The authority describing the zero-day vulnerability
• CVE ID and/or vulnerability name
• Affected systems
• Description of the exploit or attack
• Information on any available fixes

Customized CAL ATL Zero-Day Indicator Capture

Indicators related to zero-day vulnerabilities are often hard to identify in report content because, as a new threat and risk, they have little enrichment and scoring available. Because CAL ATL takes many different steps—such as manual safelist review, known-good infrastructure enrichment, and use of scoring thresholds—to filter out “noise” so that you can stay focused on threats, it’s important that information on new vulnerabilities is not filtered out as well. To ensure that zero-day Indicators are captured in CAL ATL content, Reports with Topic: Zero Day Tag have the normal CAL ATL scoring threshold lowered. 

Zero-Day Vulnerability Features in Intelligence Requirements

Intelligence Requirements leverage the AI Exploited-Vulnerability Analyzer to provide zero-day-specific keyword suggestions and global results.

Zero-Day Vulnerability IR Keyword Suggestions

When creating or editing IRs, if you enter keywords related to zero-day vulnerabilities, the keyword suggestions will include zero-day-specific synonyms (Figure 3).

Zero-Day Vulnerability IR Global Results

Global results for IRs using zero-day keywords return CAL ATL Reports with the Topic: Zero Day Tag.

Frequently Asked Questions (FAQ)

Why are some CAL ATL Reports about the same vulnerability classified differently? For example, some have the Topic: Zero Day Tag, some have the Topic: Vulnerability Tag, and some have no vulnerability-specific Tag at all?

Information about the same vulnerability may be included in multiple CAL ATL Reports. The AI Exploited-Vulnerability Analyzer analyzes the content of each Report individually to determine whether it covers a zero-day vulnerability topic, an exploited-vulnerability topic, or neither. The contents of every Report are framed differently or include and exclude different details, which may result in different classifications. In addition, Reports without sufficient detail or that only link to external resources without providing further content may not have enough information to qualify for one of the vulnerability-specific Tags.

Does the AI Exploited-Vulnerability Analyzer examine the contents of links in a CAL ATL Report?

No. The AI Exploited-Vulnerability Analyzer examines only the direct contents of CAL ATL Reports. It does not examine external sources such as the contents of links in CAL ATL Reports.

Why are CAL ATL Reports about multiple vulnerabilities typically not labeled with a vulnerability-specific Tag?

The CAL Team is actively working to improve the tagging of CAL ATL Reports about multiple vulnerabilities. Typically, time-sensitive reports about zero-day and other vulnerabilities focus on specific issues that require prioritization. Analysis is most effective when it centers on a single vulnerability. Reports that discuss multiple vulnerabilities may not possess the qualities needed to be considered strong candidates for classification with a vulnerability-specific Tag. 

Can I provide feedback on CAL ATL Reports about vulnerabilities that I believe should be labeled differently?

We welcome your direct feedback on the performance and accuracy of the AI Exploited-Vulnerability Analyzer! You can share your feedback with your Customer Success Manager (CSM) or use the AI summaries feedback option (Figure 4), which allows you to send your anonymous comments about the article directly to the ThreatConnect Product Team to help us improve our features.

ThreatConnect® is a registered trademark, and CAL™ and TC Exchange™ are trademarks, of ThreatConnect, Inc.
Netflix® is a registered trademark of Netflix, Inc.

20173-01 v.01.A