Posted
The new and improved CAL is now active in the ThreatConnect Platform!
Have you heard of CAL?
Yes, you have? Awesome! No, you haven’t? Well, to quickly explain, ThreatConnect’s CAL™ (Collective Analytics Layer) provides anonymized, crowdsourced intel about your threats and indicators. It leverages the collective insight of the thousands of analysts who use ThreatConnect around the globe to provide you with even more context regarding your indicators and threats. Taking it one step further, we have built in our own analytics engine powered by that collective insight to answer questions our users have about threat intelligence, sometimes before they even know to ask them.
CAL was first released a little over 2 years ago, and since then, the team here has been working diligently to take insane amounts of data and, using analytics, serve it up to users in a way that improves day-to-day analysis. You can check out some of the benefits experienced by CAL in this recently published blog post.
Now let’s get back to 2.1. OSINT feeds, ISACs, and well-meaning analysts sometimes bring in indicators of compromise (IOCs) that are almost certainly false positives. We have some tools already, such as exclusion lists, to prevent these mistakes from causing a slew of false positive alerts or wasted investigation time. With this release, we added some new functionality within CAL to further improve this capability.
Improvements include:
- We now pull in approximately 100k newly registered domains per day, which serve as a rich hunting ground. While not inherently malicious, being relatively new makes them interesting. When combined with our analytics and complementing datasets, we can identify malicious hosts — sometimes before they’re reported by paid or OSINT feeds!
- Better tracking of well known, benign IP ranges. We dynamically track over a thousand CIDR ranges, which has allowed us to better determine indicator status for thousands of IP addresses. The result? Less noise in the platform for CAL participants, and a demonstrable reduction in noise in SIEM alerts. These IP’s generated 3.5 million benign observations in the last month alone, and CAL is silencing these noisemakers moving forward.
- TLD Validation of hosts based on the Public Suffix List. We’ve all experienced the various ways that “junk” hosts can make their way into your instance, and now CAL can help you identify which “host” IOCs may actually just be the name of a file sample. Any hosts with an invalid TLD will have a Classifier added and will be more likely to be labeled as inactive, again reducing noise in the platform and helping to lower users’ SIEM bill by removing lots of crud. On the first day, CAL identified over 435k hosts from feeds and customer instances that have invalid TLD’s.
- Improved tracking of Dynamic DNS domains, allowing us to better pinpoint hosts and URL’s that are using one of thousands of dynamic DNS providers. These providers allow users to rotate hosts and infrastructure quickly and freely, and are a hotbed for adversary activity. Our improved tracking has identified over 500k indicators using these providers, allowing analysts to better tailor their infrastructure investigations to accommodate this volatile infrastructure technique.
Want to learn more about CAL? See the webinar, Building Blocks of Intelligence.