- 12 Apr 2023
- 4 Minutes to read
-
Print
-
DarkLight
Pivoting with CAL
- Updated on 12 Apr 2023
- 4 Minutes to read
-
Print
-
DarkLight
Overview
You can use the Pivot with CAL option to explore Indicator and Group relationships that exist in CAL™. This option is displayed in the contextual menu for Indicator and Group nodes only.
Performing a Pivot
- Click on an Indicator or Group node displayed on an object’s graph.
- Select Pivot with CAL from the node’s contextual menu. If data exist in CAL for the Indicator or Group, a list of available CAL relationship types on which you can pivot and the number of related objects included in each relationship type will be displayed (Figure 1). See the “CAL Relationship Types” section for a list of CAL relationship types available for Indicators and Groups.
- Select an available CAL relationship type (Resolved Domains in this example) on which to pivot. The following items will be displayed on the graph (Figure 2):
- One or more related nodes, each of which represents a related Indicator (if pivoting on an Indicator) or Group (if pivoting on a Group). Each node will include a node label that displays the corresponding object’s summary.
- A connection between each related node and the node from which you pivoted. For pivots made within CAL, the connection is gray and includes a connection label that displays the relationship between the two objects (i.e., the CAL relationship type).
Repeat this process for related nodes or the origin node as desired. For example, pivoting on the Uses Tool CAL relationship for the Fancy Bear Adversary Group associated to the Menace Initiative Threat Group adds nine related Group nodes to the graph, each of which represents a Tool Group related to Fancy Bear (Figure 3).
When you pivot from one node to a second node and then pivot from the second node back to the first node, a bidirectional arrow will be displayed on the graph, and the connection label will reflect the most recent CAL relationship type on which you pivoted. In the example in Figure 4, the first pivot is from the APT28 Intrusion Set Group to nine Tool Groups via the Uses Tool CAL relationship. The following pivot is from the KODIAC Tool to three Intrusion Set Groups, including the existing APT28 Intrusion Set, via the Used by Intrusion Set CAL relationship. When making this pivot, the arrow connecting the APT28 Intrusion Set to the KODIAC Tool Group changes to a bidirectional arrow to reflect the pivot from the KODIAC Tool Group back to the APT28 Intrusion Set Group, and the connection label changes from Uses Tool to Used by Intrusion Set.
CAL Relationship Types
See Tables 1 and 2 for a list of CAL relationship types available for Indicators and Groups, respectively.
CAL Relationship Type | Starting Indicator Type(s) | Indicator Type Returned from Pivot |
---|---|---|
Base Host | URL | Host |
Base URL | URL | URL |
CIDR Ranges | Address, ASN | CIDR |
DNS Resolutions | Host | Address |
Email Host | Email Address | Host |
Known ASNs | CIDR | ASN |
Known Email Addresses | Host | Email Address |
Known URL Extensions | URL | URL |
Known URLs | Host | URL |
Member IPs | CIDR | Address |
Nameserver Clients | Host | Host |
Nameservers | Host | Host |
Parent Domain | Host | Host |
Registered Domains | Email Address | Host |
Resolved Domains | Address | Host |
Subdomains | Host | Host |
WHOIS Registrants | Host | Email Address |
CAL Relationship Type | Starting Group Type(s) | Group Type Returned from Pivot |
---|---|---|
Achieved By | Tactic | Attack Pattern |
Achieves Tactic | Attack Pattern | Tactic |
Contains Subtechnique | Attack Pattern | Attack Pattern |
Mitigated By | Attack Pattern | Course of Action |
Mitigates Attack Pattern | Course of Action | Attack Pattern |
Revoked By | Attack Pattern | Attack Pattern |
Intrusion Set | Intrusion Set | |
Malware | Malware | |
Revokes | Attack Pattern | Attack Pattern |
Intrusion Set | Intrusion Set | |
Malware | Malware | |
Subtechnique Of | Attack Pattern | Attack Pattern |
Used by Intrusion Set | Attack Pattern | Intrusion Set |
Used by Malware | Attack Pattern | Malware |
Used by Tool | Attack Pattern, Intrusion Set | Tool |
Uses Attack Pattern | Intrusion Set, Malware, Tool | Attack Pattern |
Uses Malware | Intrusion Set | Malware |
ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.
20117-13 v.01.A