An organization’s cyber security operation center (SOC) is a unit in charge of cyber threat prevention and mitigation.
Within this framework, several critical tasks imply gathering and analyzing data on threats, incidents and attacks. This process is usually referred to as threat intelligence.
It is not limited to mere collection of information. It aims to gather actionable insights and bring them to action with business goals in mind.
Among the challenges of this preventive research are Threat Hunting, Threat Attribution, Incident Response, and Alert Triage. We shall see how threat intelligence tools help solve problems and improve an organization’s performance.
Threat Hunting
Threat Hunting is a pillar of proactive cybersecurity: analysts search for signs of malicious activity within an organization’s network or systems that might have evaded digital defenses like firewalls, antiviruses, or intrusion detection systems.
Based on the data from logs, network traffic and other sources, analysts form hypotheses about possible attack vectors and set up automated searches for indicators of compromise (IOCs) or anomalies that could suggest a breach. When a threat is identified, the response comes: containment, eradication, or recovery processes.
Threat Intelligence Lookup from ANY.RUN is a top-notch solution for such tasks. It is a special purpose search engine that supports fast contextually enriched research of IOCs, IOAs and IOBs and their correlation with known and emerging threats.
For example, we can combine a following search query to get a selection of recent attacks employing stealer malware where data from affected devices is sent to hacker’s Telegram bot.
destinationIpAsn:”Telegram Messenger Inc” AND threatName:”stealer” AND threatName:”exfiltration”
IOCs highlighted in the search results can be gathered for tuning the automated detection systems (like IPs, domains, file hashes), for employee education (like potentially malicious file names), and for further research.
Get 500 free requests to test TI Lookup with your SOC team -> Contact ANY.RUN for trial
Incident Response and Alert Triage
Incident Response (IR) implies identifying and managing security incidents to minimize their impact on an organization. The goal is to contain the incident, eradicate the threat, and recover normal operations as quickly as possible.
Alert Triage (AT) is evaluating and prioritizing security alerts generated by monitoring tools (e.g., SIEM, IDS, firewalls). Since not all alerts are equally critical, triage helps the SOC team focus on the important ones and sort out false positives. High-priority alerts are escalated for immediate action.
For IR and AT, threat intelligence enriches alerts with contextual and historic data on IPs, domains, file hashes, malware signatures, etc.
The research of emerging threats facilitates deploying anticipatory defenses, in configuring systems to look for new indicators of attacks before they become widespread.
TI is a way to discover the links between indicators and known threat actors, malware campaigns, or attack techniques thus allowing to rank threats by danger and demand for immediate action. For business, this provides not only the security of its digital environment but efficient workforce and resource allocation.
For instance, you watch one of the devices in your network connect to a certain IP. A TI Lookup search for this IP sheds light on its links to Xworm a multi-purpose malware family, mainly notorious for their RAT and ransomware campaigns.
Threat Intelligence Lookup is closely integrated with ANY.RUN’s Interactive Sandbox: recent analysis sessions featuring Xworm malware are listed in the “Tasks” tab of the search results.
You can view any of these sessions in the sandbox or run your own analysis and get the picture of Xworm attack mechanics. This information will fuel your protection effort and help your organization avoid financial losses, reputation damage and other possible breach consequences.
Threat Attribution
Threat attribution is the practice of identifying the source or actor behind a cyberattack. It is important for understanding the adversary’s motives, capabilities, and methods for better choice of protective measures. It also provides evidence for legal action against cybercriminals.
Threat intelligence services are essential here for identifying the tools, tactics, and infrastructure used in the attack, for further understanding the attackers’ behaviors and patterns, and highlighting connections to other incidents.
Here is an example: imagine that you have spotted an unfamiliar mutex object on one of your network endpoints. You use the object’s name, “DocumentUpdater”, for a TI Lookup search request: syncObjectName:”DocumentUpdater”
The mutex in question has been detected in several malware analysis sessions. The sessions are tagged “muddywater” which is the name of a well-known advanced persistent threat (APT) group from Iran. Hence “DocumentUpdater” must be perceived as a threat indicator and used as such for setting up the security systems.
Conclusion
By integrating Threat Intelligence into SOC workflows, an organization completes its cyber defense with faster and more accurate threat identification, attribution, and response, reducing the time and effort required for security teams to assess risks.
TI Lookup provides the ability to correlate threats with known malware families and adversaries and extract critical insights for informed decision-making, regulatory compliance, and legal action against cybercriminals.
Start integrating TI Lookup in your security framework -> Choose your subscription plan.