- 26 Oct 2022
- 7 Minutes to read
ThreatAssess and CAL
- Updated on 26 Oct 2022
- 7 Minutes to read
Minimum Role: System and Organization role of Read Only User
Prerequisites: An Indicator; CAL enabled on your ThreatConnect instance and for your Organization
ThreatAssess and the ThreatConnect® Collective Analytics Layer (CAL™) provide metrics that give users context and insights about their Indicators. Located on the Indicator Analytics card of the Details drawer and the Details screen for an Indicator, they serve different, but complementary, functions. ThreatAssess provides a single score for an Indicator that is derived from data for the Indicator across all sources in a local ThreatConnect instance. CAL provides anonymized, crowdsourced intelligence derived from global data for the Indicator across all participating instances of the ThreatConnect platform. ThreatAssess and CAL data can be examined together to analyze how the understanding of a local instance compares with the collective understanding.
ThreatAssess gives a basic risk assessment of an Indicator through a single, actionable score. The score represents the overall potential impact that an Indicator might have on a security organization.
Viewing ThreatAssess Data for an Indicator
On the top navigation bar, hover the cursor over Browse and select Indicators to display all Indicator types, or select an Indicator type (Host in this example) to display all Indicators of that type. Next, click on an entry to display its Details drawer (Figure 1).
A summary of the ThreatAssess score is displayed above the Threat Rating and Confidence Rating sections. To view more information, click the Detailsicon at the upper-right corner of the drawer, or hover over the object’s entry in the table and click the Detailsicon displayed on the right side of its Summary cell, to display the Overview tab of the Details screen for the object (Figure 2).
The ThreatAssess score and related data are displayed at the top of the Indicator Analytics card. Hovering the cursor over each item in the ThreatAssess section of the card displays a definition of the item.
- Recent False Positive Reported: Indicators that were reported as false positives represent a lower risk to your security organization and will have a lower ThreatAssess score. Based on whether the Indicator was recently reported as a false positive, one of the following icons will be displayed:
- Green checkmark: The Indicator was recently reported as a false positive, where the amount of time that qualifies as “recently” is defined by the System Administrator. The default time period is 7 days.
- Circle with a horizontal line: The Indicator was not recently reported as a false positive.
- Impacted by Recent Observation: Indicators that were observed in an actual network potentially represent a greater risk to your security organization. A high number of recent observations may raise or lower the ThreatAssess score, depending on the nature of the Indicator. Based on whether the Indicator was impacted by a recent observation, one of the following icons will be displayed:
- Green checkmark: The Indicator was impacted by a recent observation, where the amount of time that qualifies as “recent” is defined by the System Administrator. The default time period is 7 days.
- Circle with a horizontal line: The Indicator was not impacted by a recent observation.
- ThreatAssess Score: The ThreatAssess score (212 in Figure 2) is out of a maximum value of 1000. Indicators with higher ThreatAssess scores represent an overall higher risk to your security organization. An Indicator’s ThreatAssess score is calculated based on the following metrics:
- Recent False Positive Reported
- Impacted by Recent Observation
- Threat Rating (based on the weighted-average Threat Rating [i.e., “evilness”] of the Indicator across multiple owners in your instance of ThreatConnect)
- Confidence Rating (based on the weighted-average Confidence Rating of the Indicator across multiple owners in ThreatConnect).
- Assessment: The Assessment (Medium in Figure 2) represents a summary of how threatening a given Indicator is to your security organization. There are four possible Assessments: Low, Medium, High, and Critical. Contact your System Administrator for the definitions and thresholds of the Assessments used in your instance of ThreatConnect. System Administrators may customize the definitions and thresholds of the Assessments for their ThreatConnect instance. See the “ThreatAssess” section of ThreatConnect Account Administration Guide for more information.
For new Indicators, ThreatAssess may not yield any results at first, as data have not yet been populated. In this case, a message stating “ThreatAssess has not yet analyzed this indicator.” will be displayed in the ThreatAssess section of the Indicator Analytics card.
CAL aggregates anonymized data about an Indicator from all participating instances of ThreatConnect and other sources, giving users context about how the information they have on an Indicator compares with the information that the wider ThreatConnect community has on the Indicator.
Viewing CAL Data for an Indicator
CAL data are displayed at the bottom of an Indicator’s Details drawer (Figure 1). Scroll down to view them, if necessary (Figure 3).
CAL data can also be viewed on the Indicator Analytics card of the Overview tab of the Details screen for an Indicator (Figure 2). In addition to viewing CAL data, you can click the Explore In Graph button at the top left of the Details screen to discover, visualize, and explore relationships between Indicators within a CAL dataset using a graph-based interface. See the “Pivot with CAL” section of Exploring Associations for more information.
Figure 4 shows the Indicator Analytics section of the Overview tab expanded to display all CAL data for the Indicator, under the CAL™ Insights heading. Sections under the CAL™ Insights heading can be expanded and collapsed by clicking on the section heading.
Hovering the cursor over the three graph headings (Daily False Positives, Daily Impressions, and Daily Observations) in the Trends section displays a definition of the metric being represented by the graph. By default, the three graphs display data for the past 30 days. To display data for the past 7 days, click 7 days at the top right of the three graphs.
For new Indicators, CAL may not yield any results at first, as data have not yet been populated. If there is no CAL section on the Details drawer or the Overview tab of the Details screen for an Indicator, then the System Administrator may have disabled use of CAL for the instance.
CAL may display a Classification section for some Indicators (Figure 5). CAL Classifiers are pre-defined categorizations derived from CAL’s classification analytics. Examples of CAL Classifiers include, but are not limited to, TorExitNode, Trending.Observations, HostedInfrastructure.AWS, and TLD.Risky. See CAL Classifiers Glossary for more information, including a table that lists and defines all currently available Classifiers.
Table 1 lists examples of CAL fields and sample data for each. Only fields for which data exist will show up in the CAL results for a given Indicator.
|CAL Field||Sample Data|
|Activity: False Positives (All Time)||11|
|Activity: False Positives (Last Reported)||12/19/2018 10:57:04|
|Activity: False Positives (Previous 7 Days)||3|
|Activity: False Positives (Today)||1|
|Activity: Observations (All Time)||42|
|Activity: Observations (Last Observed)||12/19/2018 10:57:04|
|Activity: Observations (Previous 7 Days)||21|
|Activity: Observations (Today)||3|
|Activity: Impressions (All Time)||22|
|Activity: Impressions (Previous 7 Days)||5|
|Activity: Impressions (Today)||2|
|Feeds: Feeds Reporting this Indicator||tor_exit_node|
|Feeds: First Reported in a Feed||12/19/2018 10:57:04|
|Feeds: Last Reported in a Feed||12/19/2018 10:57:04|
|Feeds: Number of Feeds Reporting this Indicator||2|
|Known Good: Feeds Reporting this Indicator as Benign||google_safebrowsing|
|Known Good: Reported in a Known Good Source||TRUE|
Feed Report Cards in CAL
CAL may display a Feeds section for some Indicators, which displays information about feeds that have reported the Indicator (Figure 6).
For some feeds, anicon is displayed next to the feed name. Hover over theicon to display a window with a mini report card for the feed (Figure 7).
The mini report card provides the name and a description of the feed and the following information and metrics about the data provided by the feed:
- Reliability Grade: This item provides a letter grade indicating how reliable the feed is, from F (worst) to A+ (best). It is derived from the number of false positives found in the feed, among other things, and is a measure of how likely a feed is to yield large numbers of negatively impactful false positives.
- Uniqueness: This item provides the percentage of Indicators in this feed that are unique (i.e., that are not found in other feeds on which CAL gathers data as well). For example, a score of 28% means that 28% of the Indicators in the feed are not found in other feeds (and, consequently, that 72% of the Indicators appear in other feeds).
- Average Score: This item is a weighted average of CAL’s reputation score (0–1000) for Indicators reported by this feed in the last 90 days.
These measures provide an at-a-glance way to gauge the “health” of the feed. In addition, the colors in which the measures are displayed provide a quick indication of the feed’s health, where green signifies “good,” yellow signifies “medium,” and red signifies “bad.” Figure 8 shows a mini report card for a feed with red and yellow items.
Clicking the View Full Report Card link at the bottom of a mini report card displays more details about the feed in the Feed Explorer screen (Figure 9).
Click the graphicon in the Report Card column to display a full report card for the feed (Figure 10).
ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.