CAL 2.3 Brings New Data Sources and Analytics Improvements to ThreatConnect

It’s the best holiday gift we could ask for: CAL 2.3 is live! 

For those of you not familiar, ThreatConnect’s CAL™ (Collective Analytics Layer) provides a way to learn how many times potential threats were identified across all participating Platform instances. CAL anonymously leverages the thousands of analysts worldwide who use ThreatConnect. Taking it one step further, we have built in our own analytics engine powered by that collective insight to answer questions our users have about threat intelligence, sometimes before they even know to ask them.

CAL has its own release cycle that operates on a separate timeline from the core ThreatConnect Platform. This allows for more frequent releases with seamless deployments. CAL 2.3 includes some massive new datasets and cool tradecraft that we’re going to help our customers leverage.

New Data Sources

Making sense of a massive amount of data is a big job, and one we’re happy to do for you. Every night we pull the master ASN listings and their respective CIDR mappings.  This new capability adds a massive amount of data: CAL now has a staggering understanding of over 67,000 ASN’s and the 700,000 CIDR ranges mapped to them!!  This robust graph allows CAL to leverage its existing analytics to help identify interesting (and uninteresting) neighborhoods on the internet.

Analytics Improvements

  • Report Cards

CAL enables data to be presented to users in a way that is easily readable and clear to understand. One way we do this is via CAL Report Cards. Report Cards visualize information related to feed performance so you can better understand a feed before you start leveraging the information in it to make decisions related to your security team. As you can see below, the graphic provided is clear and easy to understand. So much so, that oftentimes we may forget about the powerful analytics that power it.

We’ve improved some of the math behind Report Cards, allowing the bars on the bullet charts to evolve naturally with our dataset.  The red, green, and yellow target zones will now dynamically reflect the way our collection of feeds behaves in our users’ ecosystems.  This should simplify user decision-making when selecting and understanding OSINT feeds.

  • Nameserver Analysis

We’ve worked with a member of the ThreatConnect Research Team, Kyle Ehmke, to replicate some of his analysis techniques for nameservers in CAL!  This happens at scale.  Every day. We’ve already identified 2 million nameservers (300+ of which are a nexus of malicious activity).  By wrapping some of Kyle’s analysis techniques into CAL, we’ve been able to pivot off of those 300+ nameservers to identify over 1,000 novel suspicious hosts aren’t being reported anywhere else!  Stay tuned as ThreatConnect’s Research Team and CAL work together to discover more malicious activity and help you make the right decisions with it!

Our team is already hard at work on the next CAL release. Stay tuned!

About the Author
Drew Gidwani

Drew Gidwani is the Director of Analytics at ThreatConnect. He drives the data modeling, collection, and analytics both within the core ThreatConnect platform and in CAL. Previously, Drew worked for the Department of Defense where he leveraged his varied analysis experiences to scale growing intelligence teams in the face of the ever-changing threats we face today. Drew holds a B.S. from Carnegie Mellon University and an M.S. from Johns Hopkins University. He currently resides in Maryland with his fierce warrior dog named Gimli.