The CAL™ 3.15 release introduces improvements to the CAL Automated Threat Library (ATL) and expanded AI-based MITRE ATT&CK® classification coverage. These updates improve the quality of intelligence extracted from reports and expand the sources analysts can use for threat monitoring.
CAL Automated Threat Library (ATL) Updates
The CAL Automated Threat Library Source has been significantly enhanced to improve the quality, reliability, and timeliness of threat intelligence derived from cybersecurity blogs and reports:
- Over 120 of the best blog and report sources—including CERTs, government agencies, security research organizations, industry vendors, and security news—now power CAL ATL intelligence. These sources include the following:
- 46 new blog and report sources
- Reactivated blog and report sources:
- 360 Netlab Blog
- Check Point Research
- CrowdStrike (formerly CrowdStrike Blog)
- Dark Reading
- Flashpoint
- Internet Crime Complaint Center (IC3)
- RedPacket Security (formerly Red Packet Security Pikabot C2, Red Packet Security Ransomware Feed, and Red Packet Security Posh C2)
- Security Week
- Splunk (formerly Splunk Threat Research Team)
- The DFIR Report
- The Digest (Crypto-Ransomware) (formerly ID Ransomware)
- VIPRE Labs (formerly VIPRE Labs Blog)
- Blog and report sources are now updated hourly, allowing new threat intelligence to be added to ThreatConnect® faster.
- Improved handling of blog links reduces false positives when extracting Indicators of Compromise (IoCs).
- Tags for CAL ATL Reports now more accurately reflect source metadata, improving filtering, search, and intelligence requirement (IR) matching. See Prepare for CAL ATL Changes in CAL 3.15 Release for details on Tag updates in this release.
MITRE ATT&CK AI Classification Update
ThreatConnect’s AI-based MITRE ATT&CK classification capabilities have been expanded to identify 642 techniques and sub-techniques, an increase from 608 in previous releases. This improvement enables ThreatConnect to identify approximately 93% of MITRE ATT&CK techniques and sub-techniques through implicit references in threat reports.
These updates will improve analyst workflows in the following ways:
- Identify Tactics, Techniques, and Procedures (TTPs) not explicitly called out in reports.
- Identify four times the number of MITRE ATT&CK tactics and techniques identified by traditional matching methods.
- Prioritize the most essential reports, based on identified TTPs.
- Save time by removing irrelevant content from queries and IRs.
- Support more informed visual exploration in ThreatConnect’s ATT&CK Visualizer and Threat Graph features.
Other Updates
- CAL ATL now recognizes more name variations for MITRE ATT&CK tactics. This change empowers the Pivot with CAL option in Threat Graph to include more MITRE ATT&CK tactics.
- CAL Doc Analysis Service improvements:
- Alias extraction now includes additional capitalization variations to improve identification of Intrusion Sets and their aliases, tools, software, and other entities.
- Indicator extraction now includes additional Autonomous System (AS) formats.
- New obfuscation extraction options have been added.
- The description of CAL ATL Reports on the Details screen has been reformatted to a more streamlined look and reduction of false positives from inline links. This change also includes the movement of all image content to the end of the description.
ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.