Skip to content

Threat Intelligence with Sandbox Analysis: Security Analyst Guide

  • by
Kubernetes Security on AWS

Threat intelligence (TI) is critical to organizations’ cybersecurity infrastructure, allowing them to keep track of the evolving threat landscape and ensure timely detection. However, TI Solutions’ information frequently lacks the specifics required for thorough security measures. One way to address this problem is by using malware analysis sandboxes.

What is Threat Intelligence?

Threat intelligence refers to the information about well-studied and emerging threats extracted from large data arrays. It has actionable indicators of compromise (IOCs). It works with security information and event management (SIEM) systems to find problems on the network and application levels and help with security decisions.

There are two types of TI sources: internal and external. For a proper security posture, a combination of both is required.

Internal sources of TI include data collected from the organization’s own networks and systems, such as:

External sources of TI include information collected from outside the organization, such as:

  • Open-source intelligence (OSINT), such as news articles, social media posts, and security research blogs
  • Commercial threat intelligence feeds
  • Government and industry reports
  • Information sharing and analysis centers (ISACs)

One example of external threat intelligence is ANY.RUN’s Threat Intelligence Feeds, a service that offers near-real-time visibility of the global threat landscape and is compatible with various SIEM solutions.

What is Sandbox Analysis?

Sandboxing is a method of examining malicious files and links by isolating them in a safe environment of a virtual machine. This allows security teams to analyze potential threats without putting their systems at risk.

For instance, ANY.RUN’s cloud-based malware analysis sandbox lets users upload any file or URL to it and see how it behaves. It also allows them to directly interact with the infected system and files like on an ordinary computer. The sandbox collects data, processes it, and presents crucial information, such as IOCs and malware configs, to users, which then can be used to make better security decisions.

14 Days FREE Trial

It Includes Private space for your team with a productivity trackerUp to 20 minutes of analysis per tastefully interactive Windows 7, 8, 10, 11 VMs.

How Sandboxing Enriches Threat Intelligence

Understand the behavior of malware

Threat intelligence feeds provide valuable information about emerging threats and vulnerabilities, but they often lack granular details about the specific actions of malware. With sandbox analysis, it is possible to closely observe the behavior of threats, such as how they communicate, how they spread, and what vulnerabilities they exploit. 

The insights gained from sandbox analysis can be used to enrich threat intelligence feeds with more actionable details. Such findings can be used to identify additional information on the malware, update signatures or detection rules, and develop targeted mitigation strategies.

Validate threat intelligence feeds 

The accuracy of TI feeds may not always be guaranteed, requiring additional validation on the part of security teams. Sandboxing allows analysts to run the suspected file or URL in a safe environment after evaluating alerts raised by feed information.

By observing the behavior of the malware in the sandbox, analysts can confirm whether it exhibits malicious actions. This validation process helps ensure that security teams respond to genuine threats and not waste time on false positives.

Identify relationships between threats 

Threat intelligence feed databases often contain disconnected data points about individual threats, making it challenging to identify patterns and relationships between them. This fragmented view of a single threat campaign can hinder effective response. 

By submitting the samples identified by feeds as malicious to a sandbox, analysts can observe the behavior of the malware and extract more IOCs, such as IP addresses, that can be cross-referenced with the feed database, revealing other files associated with the same malicious campaign and the broader scope of the threat’s potential impact.

How to integrate threat intelligence feeds with a sandbox

Security teams looking to integrate threat intelligence feeds and sandboxing platforms require tools that work seamlessly together. ANY.RUN offers a unified solution that simplifies this integration process.

ANY.RUN has an extensive database of over 50 million samples of malicious files and links. This vast repository, constantly updated with 14,000 new samples each day, is fueled by the contributions of over 400,000 analysts worldwide.

By leveraging ANY.RUN’s Threat Intelligence Feeds, organizations gain real-time access to a continuous stream of up-to-date information on both known and emerging threats. Updated every two hours, the service provides not only a database of IOCs but also contextual information, including samples that users can further analyze in ANY.RUN’s interactive sandbox to gain deeper insights into threats.


Using a combination of threat intelligence feeds and malware analysis sandboxes leads to effective threat detection and examination. Feeds provide real-time identification of suspicious files and links, enabling sandboxes to conduct a thorough analysis, enhancing security decision-making and safeguarding organizations from cyberattacks.

Discover how the ANY.RUN sandbox can enhance your organization’s security posture with a 14-day free trial that offers Windows 10 and 11 VMs, a private space for your team, extensive set of analysis tools, and comprehensive reports with IOCs and configs. 

Source link

%d bloggers like this: