Category Archives: Featured Article

What Can CAL™ (Collective Analytics Layer) Do For You?

CAL™ has billions of data points that it can bring to bear to power its analytics—and we’re adding more every day

It’s been two years since we announced CAL™ , our Collective Analytics Layer. Since then, we’ve made fantastic strides in leveraging some of the latest big data technology to make our users’ lives easier. We launched CAL with two intentions: to solve problems that were so computationally intensive that they required separate technology, and to distribute the answer rather than the solution. Fast forward to today. CAL has billions of data points that it can bring to bear to power its analytics—and we’re adding more every day.

In this article, we’ll cover the insights that CAL provides and then go deeper into how to use that intelligence in your day-to-day analysis, with instructions for both novice and advanced users.

What can CAL do for me?

At this time, CAL provides insights in three main forms: reputation, Classifiers, and contextual fields. They can each be used to help your analysts and orchestration processes make better decisions faster. Let’s take a look at each of these insights to see how they may make your day easier. Figure 1 shows an example of CAL Insights on the Indicator Analytics card on the Details screen for an Indicator.

Figure 1


CAL generates its own reputation score on a 0–1000 scale, similar to the ThreatAssess algorithm. We have a writeup on how ThreatAssess and CAL play together but the takeaway is pretty simple: CAL uses its massive data set and our analytics to help provide a baseline reputation score. There are a few things to note about CAL’s reputation analytics:

  1. They are not actually presented in the ThreatConnect Platform. Let’s face it, information overload can be a very real thing. To simplify the user experience, we’ve designed ThreatAssess to combine CAL’s opinion with those of your analysts and tailored processes. In other words, CAL’s reputation score is factored  into an object’s ThreatAssess score. Of course, this calculation is customizable: System Administrators can configure ThreatAssess to weigh CAL’s opinion a lot, a little, or not at all.
  2. Reputation scoring isn’t one size fits all. There are elements of relevance and risk to your organization. Our goal with CAL’s reputation algorithm is to provide the best baseline that we can for Indicators.
  3. Our reputation score is based on lots of data. CAL manages the dynamic collection, curation, and aggregation of lots of data that you simply don’t want to do yourself. It pulls in massive whitelists to help clear the noise out of your workflow. CAL also aggregates all of the reported observations on Indicators to prioritize the threats that are active now.
  4. Reputation goes beyond the score you see on the Indicator Analytics card when you view the Details screen for an Indicator. CAL also uses ThreatConnect’s Indicator Status system to help you maintain uninteresting IOCs for the sake of thoroughness without having them inundate you with false alarms.
Making Use of Reputation

If you’re participating in CAL, it’s already making your life easier! Still, here are a few things to consider if you want to step up your game by incorporating CAL’s reputation insights into your workflow:


If you have sufficient permissions, you can leverage CAL’s score by weighing it more heavily in the ThreatAssess configuration page, as detailed in the “Configuring ThreatAssess” section of the ThreatConnect Account Administration User Guide. For developing teams, this is extremely helpful while you start to marshall your intelligence processes: CAL can give you some kind of score to start with, and you can focus on triaging the universally critical threats before worrying about creating intelligence of your own.


The Indicator Status feature (circled at the top of Figure 2) gives you a way to remove a lot of noise from your system. Again, if you’re participating in CAL, you’re already leveraging its insights on hundreds of millions of Indicators! Keep the Cal Status Lock box unchecked to let CAL set the flag on whether each Indicator should be enabled or disabled as far as piping it to your integrations. Of course,  you can adapt your processes to manually set (and lock) that flag for Indicators that you know are or aren’t of interest.

Figure 2



To empower our security ninjas, we do actually expose the CAL score via Playbooks. You can build your Playbooks to bin your Indicators (or avoid creating them at all) based on CAL’s score right off the bat. This can be especially helpful when it comes to removing noise from your system or firing off alerts and triage workflows. If CAL has decided something is universally good or bad, take that step out of the equation for your analysts!


Our analytics apply a series of labels called Classifiers to Indicators that meet certain conditions. These labels are designed to give you a clear, concise vocabulary to understand some of the salient data points about an Indicator. The Classifiers are similar to Tags in ThreatConnect, except that they’re applied by CAL using the totality of its data set and statistical models. Figure 1 shows some Classifiers in the Classification section of the Indicator Analytics card.

As we add more data collection and analytical models, we will continue to expand our vocabulary of Classifiers and fine-tune the conditions that apply them.

Using Classifiers

If you’re not sure how you’d use Classifiers in your day-to-day processes, here are some examples:


Something as simple as the Executable.Android or Executable.iOS Classifier may help you quickly identify binaries that run on platforms that are outside of your area of responsibility. If your organization doesn’t use Android or iOS devices, then you can easily move along!


If you stumble across a host that CAL identifies as having the IntrusionPhase.C2.Current Classifier, then you may have an active breach on your hands! These Indicators have been classified based on the findings of the ThreatConnect Research team, and you can head on over to the ThreatConnect Intelligence Source to learn more about the associated Threat to determine your next steps.


CAL’s DNS monitoring system can let you know about the resolution patterns of certain hosts. If you see an IP address with the DNSHosts.Malicious.Current Classifier, then you can follow it in ThreatConnect and you’ll get notifications when additional hosts in the system start resolving to it.

Contextual Fields

CAL also provides a series of contextual fields surrounding an Indicator to help you decide what to do next. These fields may come from a variety of sources:

  • Aggregated, anonymized data. CAL takes telemetry information from all of our participating instances and aggregates it after removing any identifying information. This allows CAL to provide global counts on key data points, such as how many observations have been reported on the Indicator or how many false positive votes it’s gotten and when.
  • Enrichment data. To power its analytics, CAL has access to all sorts of data it’s collected. We want you to have this information, too! You may get certain information as appropriate, such as where a hostname is ranked in the Alexa Top 1 Million domains list or what OSINT feeds reported it and when.

Making use of Contextual Fields

If you’re not sure how you’d use these contextual fields in your day-to-day processes, here are some examples:


If you’re looking at an IOC that has a high score, but has a lot of false-positive votes, you may have stumbled into the twilight zone of bad intel! It happens sometimes—our feeds and partners occasionally let benign Indicators slip into our discussions. Sometimes Indicators were bad and then get their act together and get clean. CAL’s global false-positive data can help you better isolate bad Indicators that have gone good.


If an IOC in question has a high number of global observations, then it may be active across the ThreatConnect user base. You may be able to identify the ebb and flow of adversary activity before you’re in the adversary’s sights, benefitting from the anonymized reporting of your peers. Trendline data can help you pinpoint where in time to look if you’re doing retroactive analysis as well.


If you’re triaging phishing emails and see an unknown SMTP server, CAL may be able to tell you that it’s owned by Google and is part of the GSuite Mail Server. Understanding who owns infrastructure—specifically free or rented infrastructure—can help you quickly determine your next steps. Whether you’re picking up the phone to request a takedown from a hosting provider or simply blacklisting an IP address, these are the insights that start to make a difference at scale.

In Conclusion

CAL has come a long way in making sure that we are answering questions our users have about intelligence, sometimes before they even know to ask about it. By combining our unique data set and domain expertise, we’re starting to discover novel Indicators at a high rate and a high confidence level. By leveraging CAL, you can, too.

Keep in mind that these CAL insights aren’t just available to your human analysts, but also to your Playbooks! Stay tuned as we start to showcase ways that CAL can drive your orchestration processes automatically, using its reputation and classification analytics to help you move faster and smarter.



The post What Can CAL™ (Collective Analytics Layer) Do For You? appeared first on ThreatConnect | Intelligence-Driven Security Operations.

Lights, Camera, Actionable Intelligence!

ThreatConnect Research builds out a network of domains and subdomains spoofing organizations related to the entertainment industry, most likely used in credential harvesting efforts.

To be frank, if we were going to give out an award for this acting, we don’t know who it would go to. Following a partner tip identifying IP addresses hosting entertainment industry spoofed domains hosting credential harvesting sites, we identified over 50 domains and 320 subdomains most likely associated with a single actor or group. These domains were registered between 2017 – 2019 and suggest a widespread, ongoing campaign as of early March of this year, but we have yet to identify the actor’s motivations, whether they are targeting the spoofed organizations, and what they intend to use stolen credentials for.

In this case, we were able to build out an understanding of this actor’s infrastructure using a variety of capabilities from DomainTools, Farsight DNSDB, and Censys. Notably, this actor had a penchant to reuse SSL certificate common names and domain name strings across their other domains’ subdomains. Exploiting these crossovers helped us identify connections where WHOIS or hosting co-location research failed. We then reviewed the network and screenshots of identified infrastructure for notable themes in an attempt to better understand how the actor was operating or who they were targeting. Finally, we explored methods to proactively monitor for new infrastructure possibly related to this activity based on registration and hosting consistencies.

Research and Findings

An industry contact tipped us to the presence of several domains spoofing entertainment organizations at IP addresses 142.11.205[.]49 and 185.175.208[.]217. While they didn’t mention specific domains, the IPs and context they shared were significantly valuable and enabled our own research efforts. We considered those IPs our starting point for this investigation and began the investigation by reviewing them.

Reviewing this IP address using DomainTools Iris, we note that, as of February 20 2019, only five domains are hosted there. Of those domains, four of them — adfs-amcnetworks[.]com, adfs-sony[.]com, sts-warnerbros[.]com, and umgconnect-umusic[.]com — spoof organizations in the entertainment industry. The final domain — common-oauth[.]com — is consistent with other domains that would surface during the course of this research.

Searching DomainTools Iris for 142.11.205[.]49


While only one of these domains leads us to an actor-owned email address — heckman1243@gmail[.]com — the small number of domains hosted at this IP and the fact that most of them spoof an organization in the entertainment industry lead us to believe that this IP address is dedicated to a single user. Based on this IP and the aforementioned registrant email address, we identify the following domains:

DomainIPRegistrant Email
foxgroup-okta[.]comTaken OverTaken Over

Similarly reviewing the IP 185.175.208[.]217 in Iris, we see that over 280 domains are hosted at this IP as of February 20.

Searching DomainTools Iris for 185.175.208[.]217


There was no single, discernible theme or registrant that we could identify from the domains hosted at this IP address. Several domains and subdomains hosted here spoof entertainment organizations, many contain strings referencing cryptocurrencies or gift cards, and others seem general or aren’t immediately discernible. Searching for this IP against our Technical Blogs and Reports source identifies a Proofpoint report on a cryptocurrency giveaway scam.

WHOIS for 185.175.208[.]217


The WHOIS for this IP from DomainTools indicates that it is part of a subnet used by HostSlick customers in London, suggesting that it is a multi-tenant IP. To that end, all domains hosted at this IP address are not associated with the same actor or activity. Ultimately, this means we’ll have to conduct a more manual review of the domains hosted at this IP to assess whether or not they may be associated with the entertainment industry activity we were alerted to.

Manual Review

We initially started by enumerating the domains hosted at 185.175.208[.]217 and manually reviewing them to identify the ones that appear to spoof organizations in or related to the entertainment industry, or are similar to those previously identified. This identified the following additional domains currently hosted at 185.175.208[.]217:

DomainIPRegistrant Email

However, further reviewing resolutions for this IP address using our Farsight DNSDB integration, we identified older domains from 2017 like press-amcnetworks[.]com, gettyimages-okta[.]com, harpercollins-okta[.]com, harpercollinsokta[.]com, and login-hulu[.]com that also fit the theme.

Historic Resolutions for 185.175.208[.]217 Related to Entertainment Industry


More interestingly, in some cases, strings specific to domains we had already identified showed up in subdomains for other parent domains we had not yet identified.

Infrastructure with “sjobergbildbyra” String


In other cases the opposite was true — subdomains for the domains we identified showed strings specific to other domains at 185.175.208[.]217 that we had not identified. Some of the identified subdomains were also suggestive of technologies — like Microsoft, Okta, and GoDaddy — that the actors were spoofing for probable credential harvesting efforts.

Subdomain String Identifying Related Infrastructure


We also note similar crossovers and repetitions in the SSL certificates used for these sites. Reviewing the below SSL certificate in Censys, we see that it was used across multiple domains specifically related to the entertainment industry, as well as subdomains for serverdata[.]tech.


Censys Certificate Information


Iterating this research through pDNS and SSL certificates for these domains and subdomains based on these crossovers, we can ultimately identify over 380 domains and subdomains most likely associated with this activity. We have shared the identified infrastructure in various incidents associated with Campaign 2017 – 2019 Credential Harvesting and Spoofed Domains Related to the Entertainment Sector.

Themes in Infrastructure

After identifying all of the associated domains and subdomains, we saved and reviewed these sites in the Internet Archive. This ultimately revealed some interesting themes in the infrastructure this actor used and the different services or organizations they spoofed.

Picturesmaxx Infrastructure
While the domain and subdomain string crossovers may be suggestive of a less sophisticated adversary, this actor may have put in the leg work and thoroughly researched one of the organizations they planned to impersonate.

As of early February 2019, the domain picturesmaxx[.]com redirected to the domain for PictureMaxx — a service that provides media asset management and “provides entry to the world’s largest network of professional content portals and empowers users to access, organize and distribute content more efficiently.” Dozens of subdomains for picturesmaxx[.]com lead to spoofed login pages for various organization, many of which are photography studios or agencies.

Screenshot of adoc.wg.picturesmaxx[.]com

Screenshot of alivepress.wg.picturesmaxx[.]com

Screenshot of babirad-pictures.picturesmaxx[.]com

Screenshot of sjobergbildbyra.picturesmaxx[.]com


As it turns out, most of the organizations spoofed with these picturesmaxx[.]com subdomains are also listed customers of the legitimate PictureMaxx company.

Further suggesting that this actor did their due diligence in preparing for this role, many of the subdomains are consistent in naming convention when compared with the legitimate domains for PictureMaxx. As an example — the spoofed login page brauerphotos.wg.picturesmaxx[.]com and the legitimate

We also considered the possibility that picturesmaxx[.]com was legitimate and actually owned by PictureMaxx; however, the registration and hosting information for picturesmaxx[.]com are inconsistent with other legitimate domains registered by PictureMaxx.

Authentication Spoofing Infrastructure
As of March 3 2019, this research has identified seven domains associated with this activity that spoof authentication infrastructure:

  • mscommonauth[.]com
  • auth-owa[.]com
  • common-oauth[.]com
  • common-auth[.]com
  • commonoauth[.]com
  • commonoauth2[.]com
  • common-oauth2[.]com

Dozens of hosted subdomains for these domains indicate that the actor behind this activity is spoofing Microsoft, GoDaddy, Okta, Hulu, and public relations firms associated with the entertainment industry as part of their operations. For subdomains spoofing organizations related to the entertainment industry, like those with PR firm strings, we do not know if those organizations were targeted directly or spoofed to pursue other organizations. Examples include the following:

  • godaddy.external.revalidation.common-oauth[.]com
  • revalidate.external-site.commonoauth2[.]com
  • hulusso.revalidate.external-site.commonoauth2[.]com
  • publiceye.revalidate.sso.microsoftonline.auth-owa[.]com
  • ledecompany.revalidate.sso.microsoftonline.auth-owa[.]com
  • okta.revalidate.external-site.commonoauth2[.]com

In some cases, these authentication-spoofing subdomains hosted the probable credential harvesting sites and indicate that the actor used a variety of spoofed sites that are specific to various organizations. Beyond the site’s URL, these pages appear legitimate and were most likely created by scraping those organizations’ actual login pages.

Screenshot of validation.auth.login.microsoftonline.commonoauth2[.]com

Screenshot of umgconnect.umusic.revalidate.external-site.commonoauth2[.]com

Screenshot of login.hulusso.revalidate.external-site.commonoauth2[.]com

Screenshot of foxsso.okta.revalidate.external-site.commonoauth2[.]com


In one case that we were able to identify, the actor behind this activity set up a spoofed authentication site with a pre-populated email address, most likely suggestive of an individual targeted in this operation.

Screenshot of Pre-populated Credential Harvesting Site

WeTransfer Spoofed Domains
The third notable theme among the domains and subdomains we identified indicate that the actors are spoofing the file transfer service site WeTransfer. In most cases, the identified parent domains suggest this actor is spoofing WeTransfer in conjunction with a photography studio. While we don’t know if these studios are being targeted or their likeness is just being used to target larger organizations, one of the identified subdomains suggests that the latter may be the case.

  • wetransfer[.]plus
  • xn--wetransfr-2f7d[.]com
  • austinhargrave-wetransfer[.]com
  • ellenvonunwerth-wetransfer[.]com
  • peterlindbergh-wetransfer[.]com
  • bbsphoto-wetransfer.picturesmaxx[.]com
  • spaces-hightail.seligerstudio-wetransfer[.]com
  • foxgroup-okta.seligerstudio-wetransfer[.]com

None of the WeTransfer spoofing infrastructure we identified and reviewed were hosting login pages directly. Some of the identified domains did redirect to a legitimate WeTransfer subdomain hosting a file upload page with a pre-populated “studio” email address.

Screenshot of WeTransfer Redirect with Pre-populated Email Address

Considering that the WeTransfer file transfer service is inconsistent with what an actor would mimic to conduct credential harvesting, at this time we are not sure how this spoofed infrastructure is being used. Additionally, we are not aware of the extent to which the actor has control over the legitimate WeTransfer subdomain site shown above.

Monitoring for Similar Registrations

As more and more infrastructure related to this activity shows up on a seemingly daily basis, it’s important to call out some avenues for proactively identifying new infrastructure, potentially before it is used in operations.

 There are two actor-specific email addresses that we saw used to register the domains in this activity — heckman1243@gmail[.]com and grabowskiedwin@gmail[.]com. New domains registered using these email addresses probably will be related to this activity and should be scrutinized as such. In ThreatConnect, our DomainTools-powered Tracks can be used to monitor for new domains where these email addresses are in the WHOIS.

Creating a ThreatConnect Track for heckman1243@gmail[.]com


Reviewing the name servers being used for the domains in this activity we identify ns1.hostslick[.]com and ns1.anons[.]io. As of early March, these name servers are used by about 180 and 250 domains respectively, so while they are relatively small, domains unrelated to this activity almost certainly use these name servers. To that end, reviewing newly registered domains using these name servers for entertainment-related spoofs may help identify new infrastructure associated with this activity. A similar ThreatConnect Track to the one above can be used to look for new domains with the name server in the WHOIS.

Finally, monitoring passive DNS for IP addresses hosting the aforementioned domains can help identify newly hosted domains. Specifically, the IP addresses 142.11.205[.]49 and 31.148.220[.]196 host relatively few domains and possibly are dedicated to the actor behind this activity. New domains and subdomains resolving here have a good chance of being related to this activity. In ThreatConnect, clicking Follow Item on an IP address will alert you to new domains resolving to that IP address when DNS is enabled.

Screenshot of Following 31.148.220[.]196 in ThreatConnect

Similar to the research that we went through in the beginning, while 185.175.208[.]217 hosts many domains related to this activity, it hosts many seemingly unrelated domains as well. Monitoring passive DNS resolutions for this IP may help identify new infrastructure, but additional research into those new resolutions would be required.


As more of this infrastructure turns up, we’ll continue to share new intelligence in this Campaign Group. To date, we’ve identified about 390 domains, subdomains, and IPs associated with this activity by monitoring name servers, passive DNS resolutions, and specific email address registrations. Despite having identified a significant amount of infrastructure related to this activity, there are still a number of things that we don’t know or have the necessary insight to answer and hope to assess with future intelligence. Those include the following:

  • Who is behind this activity?
  • Who specifically is being targeted?
  • Has any of this activity actually been successful?
  • What is the end goal of this effort?
  • How operations leveraging this infrastructure unfold.
  • Whether other domains at the IP 185.175.208[.]217, and previously identified activity, are associated with the actor behind this entertainment industry activity.

This investigation highlights a couple of important points that bear mentioning. First, knowing who or which threat group is behind activity isn’t necessary to build out your understanding of their network. Further, knowing the who isn’t necessary to exploit their registration and hosting tactics to proactively identify new, related infrastructure and actionable intelligence. Finally, in cases where traditional WHOIS or DNS co-location research fails, reviewing infrastructure naming conventions may help identify additional domains and subdomains associated with an actor.

The post Lights, Camera, Actionable Intelligence! appeared first on ThreatConnect | Intelligence-Driven Security Operations.

5 Reasons to Mark a False Positive in ThreatConnect

By taking an intelligence-driven approach, we can start to connect the dots in a more interesting fashion

ThreatConnect allows you to curate almost every facet of your intelligence — including indicator reputation. One of the best ways you can help keep a tidy shop is to flag an indicator as a False Positive (FP) when you encounter it. Notionally we’re all familiar with what this should do: it tells your colleagues (both human and software) that this indicator isn’t actually a threat and can be skipped in your day-to-day analysis.

By taking an intelligence-driven approach however, we can start to connect the dots in a more interesting fashion. Beyond signaling your coworkers, flagging an indicator as a False Positive has some interesting and far-reaching implications. Read on to see what impact you can have across the world with a single button click!


1. Decrease in ThreatAssess Score

An indicator’s ThreatAssess Score is greatly affected by the amount of False Positive reported.

Our ThreatAssess algorithm leverages input from users to fine-tune an indicator’s reputation. The most immediate impact of clicking the False Positive button is that it will affect the score of an indicator. On a 1000-point scale, an indicator will drop as it continues to accrue FP votes. This will include votes within your organization, votes across organizations, and account for the age of votes over time!  The ThreatAssess score has an impact on how your team can quickly understand and triage indicators, and can also impact integrations downstream.


2. False Positive Filters

Quickly identify which indicators have had FP votes directly from the Browse screen.

As FP votes accumulate on an indicator, there are controls built across the platform to allow you to sort data accordingly. Since FP’s are a valuable form of context around your intelligence, we want to make sure you can access it in meaningful ways that help you inform decisions:

  • Use filters on the Browse screen to remove indicators with FP votes and clean up your workflow
  • Create Dashboard cards to identify which feeds and data sources are resulting in high concentrations of FP’s in your network
  • Leverage our API and integration-based filters to fine-tune your tolerance for suspected FP indicators across your ecosystem


3. Global CAL counts

Quickly determine how many FPs have been submitted and how many times an indicator has been observed by global CAL users.

If you’re participating in ThreatConnect’s CAL™ (Collective Analytics Layer), all of the FP votes on an indicator will be sent to be anonymized and aggregated. These totals are what drive the rows you see in the Analytics card on an indicator’s Details Page. This provides valuable insight into how all analysts view an indicator. In addition to informing (and being informed) by your team, you can benefit from the analysis of the entire ThreatConnect user base.


4. Feed Evaluation

ThreatConnect’s Intelligence Report Card helps you better understand and prioritize feeds.

CAL doesn’t just count all of the FP votes, it puts them to work. One of CAL’s key uses for FP votes is feed evaluation, in the form of Report Cards. If you’re ever wondering which open source feeds to enable in your system, Report Cards are there to help! CAL computes key metrics of how each feed is performing across the ThreatConnect ecosystem, and your FP votes can help inform the Reliability Score of a feed. As I discussed in our blog post about Report Cards, Reliability Score is a measure of how many, and how egregious, the FP’s are within a given feed. We’re all familiar with the garbage in/garbage out problem, this is one of our best ways of identifying the big offenders!


5. CAL Analytics

Drill further down into additional CAL Insights

There are multiple other analytics that CAL runs based on FP votes, each of which could fill its own blog post. CAL incorporates FP votes at a fundamental level into things like indicator reputation, classification, indicator status, and more!  There’s more to consider than just the number of FP votes, so CAL uses its massive dataset and computing power to weigh additional factors such as FP vote timeliness, consensus, and other things we find to be significant.

The more data CAL accumulates, the smarter these analytics get!


The post 5 Reasons to Mark a False Positive in ThreatConnect appeared first on ThreatConnect | Intelligence-Driven Security Operations.