To defend your group in opposition to cyber threats, you want a transparent image of the present menace panorama. This implies always increasing your information about new and ongoing threats.
There are various strategies analysts can use to gather essential cyber menace intelligence. Let’s take into account 5 that may tremendously enhance your menace investigations.
Pivoting on С2 IP addresses to pinpoint malware
IP addresses utilized by malware to speak with its command and management (C2) servers are precious indicators. They may also help not solely replace your defenses, but additionally determine associated infrastructure and instruments belonging to menace actors.
That is executed utilizing the pivoting methodology, which lets analysts discover further context on the menace at hand with an present indicator.
To carry out pivoting, analysts use numerous sources, together with menace intelligence databases that retailer giant volumes of recent menace information and provide search capabilities.
One useful gizmo is Risk Intelligence Lookup from ANY.RUN. This service permits you to search its database utilizing over 40 completely different question parameters, comparable to:
- Community indicators (IP addresses, domains)
- Registry and file system paths
- Particular menace names, file names, and hashes
ANY.RUN gives information related to the symptoms or artifacts in your question, together with sandbox periods the place the information was discovered. This helps analysts pin down a sure indicator or their mixture to a selected assault, uncover its context, and accumulate important menace intelligence.
To reveal the way it works, let’s use the next IP handle as a part of our question: 162[.]254[.]34[.]31. In your case, the preliminary indicator could come from an alert generated by an SIEM system, a menace intelligence feed, or analysis.
 |
| The overview tab exhibits the important thing outcomes of our search |
Submitting the IP handle to TI Lookup immediately permits us to see that his IP has been linked to malicious exercise. It additionally lets us know that the precise menace used with this IP is AgentTesla.
The service shows domains associated to the indicator, in addition to ports utilized by malware when connecting to this handle.
 |
| Suricata IDS rule linked to the queried IP signifies information exfiltration through SMTP |
Different data accessible to us contains information, synchronization objects (mutexes), ASN, and triggered Suricata guidelines that have been found in sandbox periods involving the IP handle in query.
 |
| Sandbox session listed as one of many ends in TI Lookup |
We will additionally navigate to one of many sandbox periods the place the IP was noticed to see all the assault and accumulate much more related data, in addition to rerun the evaluation of the pattern to review it in real-time.
Take a look at TI Lookup to see the way it can enhance your menace investigations. Request a 14-day free trial.
Utilizing URLs to reveal menace actors’ infrastructure
Inspecting the domains and subdomains can present precious data on URLs used for internet hosting malware. One other widespread use case is figuring out web sites utilized in phishing assaults. Phishing web sites usually mimic authentic websites to trick customers into getting into delicate data. By analyzing these domains, analysts can uncover patterns and uncover broader infrastructure employed by attackers.
 |
| URLs matching our search question for Lumma’s payload internet hosting infrastructure |
As an illustration, the Lumma malware is thought to make use of URLs that finish in “.store” to retailer malicious payloads. By submitting this indicator to TI Lookup together with the menace’s identify we will zoom in on the newest domains and URLs used within the malware’s assaults.
Figuring out threats by particular MITRE TTPs
The MITRE ATT&CK framework is a complete information base of adversary ways, strategies, and procedures (TTPs). Utilizing particular TTPs as a part of your investigations may also help you determine rising threats. Proactively constructing your information about present threats contributes to your preparedness in opposition to potential assaults sooner or later.
 |
| Hottest TTPs over the half 60 days displayed by ANY.RUN’s Risk Intelligence Portal |
ANY.RUN gives a stay rating of the preferred TTPs detected throughout 1000’s of malware and phishing samples analyzed within the ANY.RUN sandbox.
 |
| Sandbox periods matching a question that includes a MITRE TTP together with a detection rule |
We will decide any of the TTPs and submit it for search in TI Lookup to seek out sandbox periods the place their cases have been discovered. As proven above, combining T1552.001 (Credentials in Recordsdata) with the rule “Steals credentials from Net Browsers” permits us to determine analyses of threats participating in these actions.
Amassing samples with YARA guidelines
YARA is a software used to create descriptions of malware households primarily based on textual or binary patterns. A YARA rule may search for particular strings or byte sequences which are attribute of a specific malware household. This method is extremely efficient for automating the detection of identified malware and for rapidly figuring out new variants that share related traits.
Companies like TI Lookup present built-in YARA Search that permits you to add, edit, retailer, and use your customized guidelines to seek out related samples.
 |
| Search utilizing a XenoRAT YARA rule revealed over 170 matching information |
We will use a YARA rule for XenoRAT, a well-liked malware household used for distant management and information theft, to find the newest samples of this menace. Aside from information that match the contents of the rule, the service additionally gives sandbox periods to discover these information in a wider context.
Discovering malware with command line artifacts and course of names
Figuring out malware by means of command line artifacts and course of names is an efficient however unusual approach, as most sources of menace intelligence don’t present such capabilities.
ANY.RUN’s menace intelligence database stands out by sourcing information from stay sandbox periods, providing entry to actual command line information, processes, registry modifications, and different parts and occasions recorded in the course of the execution of malware within the sandbox.
 |
| TI Lookup outcomes for the command line and course of search associated to Strela stealer |
For example, we will use a command line string utilized by Strela stealer along with the online.exe course of to entry a folder on its distant server named “davwwwroot”.
TI Lookup gives quite a few samples, information, and occasions present in sandbox periods that match our question. We will use the knowledge to extract extra insights into the menace we’re dealing with.
Combine Risk Intelligence Lookup from ANY.RUN
To hurry up and enhance the standard of your menace analysis efforts, you should utilize TI Lookup.
ANY.RUN’s menace intelligence is sourced from samples uploaded to the sandbox for evaluation by over 500,000 researchers the world over. You may search this large database utilizing greater than 40 search parameters.
To study extra on easy methods to enhance your menace investigations with TI Lookup, tune in to ANY.RUN’s stay webinar on October 23, 02:00 PM GMT (UTC +0).
