CAL Automated Threat Library (ATL)

Minimum Role: Read Only User

Prerequisites: CAL Automated Threat Library feed activated by a System Administrator; On-Premises instances must be able to receive data from cal.threatconnect.com

What Is ATL?

We have created a new data source called the CAL™ Automated Threat Library, abbreviated as ATL.

ATL is the evolution of the popular Technical Blogs and Reports (TBR) Source. ThreatConnect^® has incorporated all the great feedback from TBR users and made it better than ever in this new form. ATL brings a number of significant improvements, detailed in this announcement. We are excited to improve one of the most heavily used data sources in the ThreatConnect ecosystem using the cutting-edge analytics available in the Collective Analytics Layer (CAL).

Improvements Made with ATL

Native Integration with the ThreatConnect Platform

ATL leverages the ThreatConnect data model to its fullest. Upon release, it will have the following features:

• Individual blog posts from 60 blogs as Report objects, with HTML converted to viewable Markdown.
• Intrusion Sets, Malware families, ATT&CK^® Techniques, Tools, and more as defined by the MITRE ATT&CK^® Library. This set of features includes Attributes and descriptions as provided by MITRE^®.
• Vulnerabilities from the National Vulnerability Database (NVD), with descriptions where applicable.
• Curation of associations between Group objects to enable proper pivoting, dashboarding, and ThreatConnect Query Language (TQL) queries. This feature includes automatic alias translation. For example, if a blog mentions “Geodo” or “Emotet,” CAL will find it and create an association to Group objects for the alias.

ATT&CK Technique Identification Using NLP

Using the natural-language processing (NLP) capabilities of CAL, ATL will automatically associate blogs to ATT&CK Techniques based on plain-English sentences. Many solutions rely on a simplistic match for something like “T1569.002” (System Services: Service Execution) to determine that text may be related to an indicator. CAL’s approach uses a trained-NLP model to identify sentences within a blog, like “Adversaries may abuse the Windows service control manager to execute malicious commands or payloads,” to detect pertinent Attack Pattern Groups and associate them to the Report.

Smarter Indicator Curation

One of the top requests from ThreatConnect users has been to create a smarter way to curate Indicators beyond plain regular-expression scrapes. ATL uses CAL’s insights to normalize Source data, including the following improvements:

• Better removal of false positives that don’t belong in the Source, such as links to blogs on the same website, author email addresses, and so on.
• Better ThreatAssess mappings for the Indicators that remain. If CAL already knows about an Indicator’s reputation, CAL will set the Threat Rating and Confidence Rating accordingly to ensure that Indicators behave appropriately in your environment.
• Better inclusion of CAL’s Indicator Status so that if benign Indicators are memorialized in the platform, they are less likely to create false alerts through integrations.

Enhanced Platform Flexibility and Stability

Improvements in CAL 3.0 allow ATL to flex and scale as the volume, variety, and velocity of data sources are added.

Important Questions

When Can I Enable CAL ATL?

The CAL Automated Threat Library is available in the ThreatConnect App Catalog as of September 1, 2022.

How Can I Enable CAL ATL?

The CAL ATL feed can be activated just like all other CAL feeds on the Feeds tab of the TC Exchange™ Settings screen:

Please note the following activation guidance:

• Only Administrators can activate the CAL Automated Threat Library Source feed..
• As with other CAL feeds, users do not need to have CAL enabled in System Settings to enable ATL.
• As with other CAL feeds, On-Premises users will need to ensure that their instance can reach cal.threatconnect.com to receive the data.
• The initial data load when first enabling ATL will be larger than its daily updates. While we don’t anticipate performance disruptions, we advise customers to enable ATL when the potential impact of such a data load would be minimized, such as before or after standard working hours.

What Is Happening to TBR?

TBR will be deprecated and de-activated after users have been given sufficient time to migrate to ATL.

• On December 31, 2022, all of the infrastructure that is responsible for populating new data into the Technical Blogs & Reports Source on Public Cloud will be turned off.
• Customers who already have TBR enabled may keep their existing TBR Source within their instance for legacy purposes. As of December 31, 2022, no new data will populate in that Source. In the interim, we encourage users to use ATL and ensure that any dependencies (integrations, Playbooks, dashboards, etc.) are updated to use the new Source.
• The initial launch of ATL includes 60 days of historical data prior to the launch date of September 1, 2022. Our analysis yielded this amount of data as the right balance between having adequate historical data and not introducing a high volume of irrelevant or outdated data.

How Can I Provide Feedback?

We are very excited for the initial launch of ATL and will be continuously adding new features and functionality. If you have feedback and suggestions for items such as the following, please provide them directly to your Customer Success Manager (CSM) or via ProductBoard:

• Requests for additional blogs
• False-positive (or false-negative!) Indicators
• Improvements to blog parsing and rendering
• Improvements to matching analysis (aliases, Attack Patterns, etc.)

Please ensure that your feedback requests come with examples, which are critical for our Product and Engineering teams to implement enhancements quickly.

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.
 CAL™ and TC Exchange™ are trademarks of ThreatConnect, Inc.
MITRE^®, ATT&CK^®, and MITRE ATT&CK^® are registered trademarks of The MITRE Corporation.

20140-01 v.01.B