How Threat Hunters Enrich Indicators With Context 

While data is king, context is his queen — together, they reign over domains that thrive on research, analysis, discovery, and exploration.

Nowhere is this more evident than in cyber threat intelligence, where raw data alone is powerless without context to give it meaning and direction. 
 
Threat intelligence platforms and SOC teams collect vast amounts of information on cyber incidents and attacks, such as IP addresses, file hashes, and domain names.

But this data only becomes actionable when enriched with context.

Context is achieved by: 

  • Correlating Indicators of Compromise (IOCs) with known threats, campaigns, or adversaries. A suspicious IP address becomes more meaningful if linked to a specific APT group or malware strain. 
  • Attributing threats based on tactics, techniques, and procedures (TTPs) observed in attack patterns to help teams understand the intent and sophistication of attackers. 
  • Assessing real-time relevance by comparing emerging threats to historical attack data and industry-specific risks. 
  • Enriching intelligence with external sources, such as open-source threat feeds, government advisories, and dark web monitoring. 

Let’s watch how it actually works on the examples of typical cyber security challenges. We shall employ Threat Intelligence Lookup by ANY.RUN.

It’s a search engine that helps explore indicators of compromise, attack and behavior, understand the tactics and techniques of adversaries. 

IP Context Enrichment 

When a detection and monitoring system warns the security team of a suspicious IP address, their first impulse is to block the traffic from the IP.

But understanding what exactly is happening, is no less important. Let’s explore an IP address via TI Lookup:

How Threat Hunters Enrich Indicators With Context 
An IP context data including when it was last seen in a malware sample 

What Do We Now Know About This IP?  

Most importantly, it is associated with AsyncRat, a dangerous malware that turns a computer into a zombie totally controlled by hackers and leaking sensitive data.  

  • It was spotted in malware samples analyzed in recent months, so it can be considered a part of an active malicious inventory. Measures must be taken immediately.  
  • We can view the analytic sessions of these samples in the Interactive Sandbox 
  • We see that the IP is used in C2C comm
  • unications.
  • There is a number of other IPs spotted in the same malware sample analyses, also tagged as malicious.  

Dive deep into the contextual data on IOCs  Try TI Lookup with 50 test requests  

Mutex Context Enrichment 

Mutexes are met in benign and malicious software alike. A mutex alone is rarely a definitive sign of infection. It must be correlated with other IOCs (e.g., network activity, process behavior, file hashes) to confirm a threat. 
 
Mutexes often generate false positive alerts in monitoring systems. Malware samples can contain the same objects as legitimate programs, and a lot of mutex names are generic.  
 
Let’s see what happens if we enrich a mutex with another mutex as a context combining them in a search request to TI Lookup:  

(syncObjectName:”PackageManager” or syncObjectName:”DocumentUpdater”) and syncObjectOperation:”Create” and threatName:”muddywater”

How Threat Hunters Enrich Indicators With Context 
A click on each search result shows how mutex behaves in malicious processes 

Now We Know That:  

  • The combination of mutexes with such innocent general names as PackageManager and DocumentUpdater occurs in malware campaigns of MuddyWater APT group from Iran, which is exactly as dangerous as an APT group from Iran is supposed to be.  
  • The mutexes are generated by MuddyWater’s BugSleep backdoor.   
  • We can find more samples that use these mutexes in the Sandbox (see the Tasks tab in the search results). 

URL Context Enrichment 

You spot a link, say, to a suspicious file in your network traffic. You search this link via TI Lookup. 

How Threat Hunters Enrich Indicators With Context 
The URL’s domain is labelled as malicious and belonging to a known botnet 

A simple request, but now we know that:  

  • The domain is a part of Phorpiex botnet infrastructure 
  • It was detected in a sample analyzed less than a month ago, so Phorpiex can still be active and menacing while one might consider a botnet known since 2016 obsolete.  
  • The domain in associated with a number of other malware strains and should be blocked in your network 

Conclusion 

In cyber threat intelligence, data alone is a ruler without direction only with context does it command the full power to defend, predict, and counteract threats effectively.

By enriching indicators with additional data, SOC teams can set up effective detection, monitoring, and responce, investigate phishing campaigns, and enhance proactive defenses. 

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free


Source link