To defend your group towards cyber threats, you want a transparent image of the present risk panorama. This implies consistently increasing your data about new and ongoing threats.
There are numerous methods analysts can use to gather essential cyber risk intelligence. Let’s think about 5 that may significantly enhance your risk investigations.
Pivoting on С2 IP addresses to pinpoint malware
IP addresses utilized by malware to speak with its command and management (C2) servers are useful indicators. They may help not solely replace your defenses, but additionally establish associated infrastructure and instruments belonging to risk actors.
That is achieved utilizing the pivoting methodology, which lets analysts discover further context on the risk at hand with an current indicator.
To carry out pivoting, analysts use numerous sources, together with risk intelligence databases that retailer giant volumes of recent risk information and provide search capabilities.
One useful gizmo is Menace Intelligence Lookup from ANY.RUN. This service means that you can search its database utilizing over 40 completely different question parameters, reminiscent of:
- Community indicators (IP addresses, domains)
- Registry and file system paths
- Particular risk names, file names, and hashes
ANY.RUN supplies information related to the symptoms or artifacts in your question, together with sandbox classes the place the information was discovered. This helps analysts pin down a sure indicator or their mixture to a particular assault, uncover its context, and accumulate important risk intelligence.
To reveal the way it works, let’s use the next IP deal with as a part of our question: 162[.]254[.]34[.]31. In your case, the preliminary indicator might come from an alert generated by an SIEM system, a risk intelligence feed, or analysis.
 |
| The overview tab exhibits the important thing outcomes of our search |
Submitting the IP deal with to TI Lookup immediately permits us to see that his IP has been linked to malicious exercise. It additionally lets us know that the precise risk used with this IP is AgentTesla.
The service shows domains associated to the indicator, in addition to ports utilized by malware when connecting to this deal with.
 |
| Suricata IDS rule linked to the queried IP signifies information exfiltration through SMTP |
Different info out there to us contains recordsdata, synchronization objects (mutexes), ASN, and triggered Suricata guidelines that have been found in sandbox classes involving the IP deal with in query.
 |
| Sandbox session listed as one of many leads to TI Lookup |
We are able to additionally navigate to one of many sandbox classes the place the IP was noticed to see all the assault and accumulate much more related info, in addition to rerun the evaluation of the pattern to review it in real-time.
Take a look at TI Lookup to see the way it can enhance your risk investigations. Request a 14-day free trial.
Utilizing URLs to show risk actors’ infrastructure
Analyzing the domains and subdomains can present useful info on URLs used for internet hosting malware. One other frequent use case is figuring out web sites utilized in phishing assaults. Phishing web sites usually mimic reliable websites to trick customers into getting into delicate info. By analyzing these domains, analysts can uncover patterns and uncover broader infrastructure employed by attackers.
 |
| URLs matching our search question for Lumma’s payload internet hosting infrastructure |
As an example, the Lumma malware is thought to make use of URLs that finish in “.store” to retailer malicious payloads. By submitting this indicator to TI Lookup together with the risk’s title we will zoom in on the most recent domains and URLs used within the malware’s assaults.
Figuring out threats by particular MITRE TTPs
The MITRE ATT&CK framework is a complete data base of adversary ways, methods, and procedures (TTPs). Utilizing particular TTPs as a part of your investigations may help you establish rising threats. Proactively constructing your data about present threats contributes to your preparedness towards potential assaults sooner or later.
 |
| Hottest TTPs over the half 60 days displayed by ANY.RUN’s Menace Intelligence Portal |
ANY.RUN supplies a stay rating of the most well-liked TTPs detected throughout 1000’s of malware and phishing samples analyzed within the ANY.RUN sandbox.
 |
| Sandbox classes matching a question that includes a MITRE TTP together with a detection rule |
We are able to choose any of the TTPs and submit it for search in TI Lookup to search out sandbox classes the place their situations have been discovered. As proven above, combining T1552.001 (Credentials in Information) with the rule “Steals credentials from Net Browsers” permits us to establish analyses of threats partaking in these actions.
Accumulating samples with YARA guidelines
YARA is a instrument used to create descriptions of malware households based mostly on textual or binary patterns. A YARA rule may search for particular strings or byte sequences which might be attribute of a specific malware household. This system is extremely efficient for automating the detection of recognized malware and for shortly figuring out new variants that share comparable traits.
Providers like TI Lookup present built-in YARA Search that permits you to add, edit, retailer, and use your customized guidelines to search out related samples.
 |
| Search utilizing a XenoRAT YARA rule revealed over 170 matching recordsdata |
We are able to use a YARA rule for XenoRAT, a well-liked malware household used for distant management and information theft, to find the most recent samples of this risk. Aside from recordsdata that match the contents of the rule, the service additionally supplies sandbox classes to discover these recordsdata in a wider context.
Discovering malware with command line artifacts and course of names
Figuring out malware by command line artifacts and course of names is an efficient however unusual approach, as most sources of risk intelligence don’t present such capabilities.
ANY.RUN’s risk intelligence database stands out by sourcing information from stay sandbox classes, providing entry to actual command line information, processes, registry modifications, and different elements and occasions recorded in the course of the execution of malware within the sandbox.
 |
| TI Lookup outcomes for the command line and course of search associated to Strela stealer |
For example, we will use a command line string utilized by Strela stealer along with the web.exe course of to entry a folder on its distant server named “davwwwroot”.
TI Lookup supplies quite a few samples, recordsdata, and occasions present in sandbox classes that match our question. We are able to use the knowledge to extract extra insights into the risk we’re dealing with.
Combine Menace Intelligence Lookup from ANY.RUN
To hurry up and enhance the standard of your risk analysis efforts, you should utilize TI Lookup.
ANY.RUN’s risk intelligence is sourced from samples uploaded to the sandbox for evaluation by over 500,000 researchers internationally. You may search this huge database utilizing greater than 40 search parameters.
To study extra on easy methods to enhance your risk investigations with TI Lookup, tune in to ANY.RUN’s stay webinar on October 23, 02:00 PM GMT (UTC +0).