5 Reasons to Mark a False Positive in ThreatConnect

By taking an intelligence-driven approach, we can start to connect the dots in a more interesting fashion

ThreatConnect allows you to curate almost every facet of your intelligence — including indicator reputation. One of the best ways you can help keep a tidy shop is to flag an indicator as a False Positive (FP) when you encounter it. Notionally we’re all familiar with what this should do: it tells your colleagues (both human and software) that this indicator isn’t actually a threat and can be skipped in your day-to-day analysis.

By taking an intelligence-driven approach however, we can start to connect the dots in a more interesting fashion. Beyond signaling your coworkers, flagging an indicator as a False Positive has some interesting and far-reaching implications. Read on to see what impact you can have across the world with a single button click!

 

1. Decrease in ThreatAssess Score

An indicator’s ThreatAssess Score is greatly affected by the amount of False Positive reported.

Our ThreatAssess algorithm leverages input from users to fine-tune an indicator’s reputation. The most immediate impact of clicking the False Positive button is that it will affect the score of an indicator. On a 1000-point scale, an indicator will drop as it continues to accrue FP votes. This will include votes within your organization, votes across organizations, and account for the age of votes over time!  The ThreatAssess score has an impact on how your team can quickly understand and triage indicators, and can also impact integrations downstream.

 

2. False Positive Filters

Quickly identify which indicators have had FP votes directly from the Browse screen.

As FP votes accumulate on an indicator, there are controls built across the platform to allow you to sort data accordingly. Since FP’s are a valuable form of context around your intelligence, we want to make sure you can access it in meaningful ways that help you inform decisions:

  • Use filters on the Browse screen to remove indicators with FP votes and clean up your workflow
  • Create Dashboard cards to identify which feeds and data sources are resulting in high concentrations of FP’s in your network
  • Leverage our API and integration-based filters to fine-tune your tolerance for suspected FP indicators across your ecosystem

 

3. Global CAL counts

Quickly determine how many FPs have been submitted and how many times an indicator has been observed by global CAL users.

If you’re participating in ThreatConnect’s CAL™ (Collective Analytics Layer), all of the FP votes on an indicator will be sent to be anonymized and aggregated. These totals are what drive the rows you see in the Analytics card on an indicator’s Details Page. This provides valuable insight into how all analysts view an indicator. In addition to informing (and being informed) by your team, you can benefit from the analysis of the entire ThreatConnect user base.

 

4. Feed Evaluation

ThreatConnect’s Intelligence Report Card helps you better understand and prioritize feeds.

CAL doesn’t just count all of the FP votes, it puts them to work. One of CAL’s key uses for FP votes is feed evaluation, in the form of Report Cards. If you’re ever wondering which open source feeds to enable in your system, Report Cards are there to help! CAL computes key metrics of how each feed is performing across the ThreatConnect ecosystem, and your FP votes can help inform the Reliability Score of a feed. As I discussed in our blog post about Report Cards, Reliability Score is a measure of how many, and how egregious, the FP’s are within a given feed. We’re all familiar with the garbage in/garbage out problem, this is one of our best ways of identifying the big offenders!

 

5. CAL Analytics

Drill further down into additional CAL Insights

There are multiple other analytics that CAL runs based on FP votes, each of which could fill its own blog post. CAL incorporates FP votes at a fundamental level into things like indicator reputation, classification, indicator status, and more!  There’s more to consider than just the number of FP votes, so CAL uses its massive dataset and computing power to weigh additional factors such as FP vote timeliness, consensus, and other things we find to be significant.

The more data CAL accumulates, the smarter these analytics get!

 

About the Author
Drew Gidwani

Drew Gidwani is the Director of Analytics at ThreatConnect. He drives the data modeling, collection, and analytics both within the core ThreatConnect platform and in CAL. Previously, Drew worked for the Department of Defense where he leveraged his varied analysis experiences to scale growing intelligence teams in the face of the ever-changing threats we face today. Drew holds a B.S. from Carnegie Mellon University and an M.S. from Johns Hopkins University. He currently resides in Maryland with his fierce warrior dog named Gimli.