Gartner Report:
Innovation Insight for
Security Orchestration,
Automation and Response DOWNLOAD NOW

Towards Data-Driven Threat Analysis

Make Better Decisions Based on Your Indicators of Compromise

A random person on the Internet once said, "Threat Intelligence is a lot more than Intel feeds." This person was absolutely right. In fact, the very premise of a cybersecurity platform is that indicators of compromise (IoCs) alone are just one piece of your security puzzle, and a platform is just the right place to solve that puzzle. ThreatConnect provides an industry-leading platform so our users and customers can leverage the best of open source and premium threat intelligence feeds.

Though IoCs are not the be all and end all of Threat Intelligence, they do play a very important part especially if you can properly contextualize them and quantify their usefulness correctly. With that in mind, ThreatConnect is excited to introduce two new features designed to help you make even better decisions based on your IoCs and the threat intelligence generated from within your own organization.



ThreatAssess is our answer to a singular question: Can we capture the threat criticality of an IoC on a single numeric scale?

A rather simple question, but with broader implications. Our users are already familiar with our Threat and Confidence Rating scales. And although these two metrics capture the essence of an IOCs criticality, these two dimensions are not the only ones contributing to the criticality of an IoC. While having access to even more dimensions is nice, what is also needed is a way to collapse these dimensions into a single dimension that gives proper - not equal - importance/weight to each dimension. Essentially, a single numeric scale that puts all of your IoCs on a straight line and allows you to get a bird's-eye view of the criticality of these IoCs. We have developed an algorithm to answer the above question, and aptly named our solution: ThreatAssess.


What is ThreatAssess?


Fig1. - Sample ThreatAssess score of an IoC

Now, when you log in to the ThreatConnect Platform and navigate to the Details page of any IoC you will be presented with the ThreatAssess score of that IoC. You will also see a corresponding label and breakdown of the score in terms of the various dimensions that went into computing the score.

A sample representation is shown in Figure 1 above. Right away you see the score on a 0 to 1000 scale, and a corresponding textual label to go with the score. Normally, this alone would suffice, but we know our users need more information than that. So, in addition to the score and label, we provide a breakdown of dimensions that went into computing this score. Along with the Threat and Confidence ratings, we also take into consideration the false positives and observations reported for the IoC, and whether it was seen in a single source (such as an intel feed or user contribution via a community) or was seen in more than one source.ThreatConnect wants to provide analysts with as much information as possible, so they can make data-driven decisions about how to react to an indicator or threat. ThreatAssess adds even more context to an IoC, helping you make decisions better and faster.

ThreatAssess is our unique, proprietary, yet transparent solution to combine various dimensions of the IoC data into a single usable score. This score can aid in obtaining a bird's-eye view of the criticality of an IoC, and to prioritize your IoCs and feeds.


Collective Analytics Layer (CAL)

ThreatConnect's CAL™ (Collective Analytics Layer), is an analytical solution (as its name implies) that we built to provide our users useful insights immediately from contextual data gathered from multiple sources, including crowdsourced metrics from all of our users.



Fig2. - CAL

As shown in Figure 2, CAL works by bringing data in from external threat intel sources, enrichment and reputation sources, and also aggregating anonymized IoC statistics from participating ThreatConnect instances. CAL is built for analytics at scale and allows us to provide even more contextual information about an IoC than can be available to an individual instance.






Fig 3. - CAL Data

In Figure 3, you see an example of the information accessible from CAL. The information aggregated from an individual ThreatConnect instance is completely anonymized and securely transferred between each instance and CAL. Our Dedicated Cloud and On-Prem customers have the choice to opt-out of sharing this information if they so desire. However, only participants can access the CAL data, which allows you to see how your individual instance data compares to the wider world of ThreatConnect users.
For each IoC you can compare your own reported false positives and observations to the aggregated false positives and observations reported by other instances. CAL also provides aggregated page view counts from across participating ThreatConnect instances, as well as the number of external feeds that reported the IoC, and it's first and last time seen. This extra information adds context to an IoC and also allows you to get a more accurate measure of the IoC's completeness, relevance, timeliness, and accuracy which ultimately leads to better prioritization. This powerful and innovative feature gives you data that has never before been available, and is not available in any other tool or system.


Final Word

In introducing ThreatAssess and CAL™ we have taken a strategic step towards making the threat intelligence much more quantifiable. Does the new approach substitute traditional analyst-centric threat analysis? Absolutely not! In fact, the data-driven analytics approach augments and enhances the capabilities of the ThreatConnect Platform, and helps our users better manage their threat intelligence. With ThreatAssess and CAL you now have two powerful means to prioritize your IoCs.







Bhaskar Karambelkar is Data Science Lead at ThreatConnect Inc. In his role Bhaskar leads the analytics and visualization efforts. Bhaskar has over 18 years of industry experience in IT, 10 of which are in InfoSec domain. Bhaskar loves to integrate traditional InfoSec research with data analytics and visualization for presenting a complete picture of the InfoSec landscape. Bhaskar has a Bachelors degree in electronics engineering and working on a Masters degree in Predictive Analytics.