To defend your group towards cyber threats, you want a transparent image of the present risk panorama. This implies continually increasing your information about new and ongoing threats.
There are numerous strategies analysts can use to gather essential cyber risk intelligence. Let’s contemplate 5 that may significantly enhance your risk investigations.
Pivoting on С2 IP addresses to pinpoint malware
IP addresses utilized by malware to speak with its command and management (C2) servers are priceless indicators. They will help not solely replace your defenses, but in addition establish associated infrastructure and instruments belonging to risk actors.
That is completed utilizing the pivoting methodology, which lets analysts discover further context on the risk at hand with an current indicator.
To carry out pivoting, analysts use varied sources, together with risk intelligence databases that retailer giant volumes of contemporary risk information and provide search capabilities.
One useful gizmo is Menace Intelligence Lookup from ANY.RUN. This service means that you can search its database utilizing over 40 completely different question parameters, comparable to:
- Community indicators (IP addresses, domains)
- Registry and file system paths
- Particular risk names, file names, and hashes
ANY.RUN supplies information related to the indications or artifacts in your question, together with sandbox periods the place the info was discovered. This helps analysts pin down a sure indicator or their mixture to a particular assault, uncover its context, and acquire important risk intelligence.
To exhibit the way it works, let’s use the next IP tackle as a part of our question: 162[.]254[.]34[.]31. In your case, the preliminary indicator could come from an alert generated by an SIEM system, a risk intelligence feed, or analysis.
The overview tab exhibits the important thing outcomes of our search |
Submitting the IP tackle to TI Lookup immediately permits us to see that his IP has been linked to malicious exercise. It additionally lets us know that the particular risk used with this IP is AgentTesla.
The service shows domains associated to the indicator, in addition to ports utilized by malware when connecting to this tackle.
Suricata IDS rule linked to the queried IP signifies information exfiltration by way of SMTP |
Different info out there to us contains recordsdata, synchronization objects (mutexes), ASN, and triggered Suricata guidelines that have been found in sandbox periods involving the IP tackle in query.
Sandbox session listed as one of many ends in TI Lookup |
We are able to additionally navigate to one of many sandbox periods the place the IP was noticed to see the complete assault and acquire much more related info, in addition to rerun the evaluation of the pattern to check it in real-time.
Check TI Lookup to see the way it can enhance your risk investigations. Request a 14-day free trial.
Utilizing URLs to show risk actors’ infrastructure
Analyzing the domains and subdomains can present priceless info on URLs used for internet hosting malware. One other widespread use case is figuring out web sites utilized in phishing assaults. Phishing web sites usually mimic official websites to trick customers into getting into delicate info. By analyzing these domains, analysts can uncover patterns and uncover broader infrastructure employed by attackers.
URLs matching our search question for Lumma’s payload internet hosting infrastructure |
For example, the Lumma malware is understood to make use of URLs that finish in “.shop” to retailer malicious payloads. By submitting this indicator to TI Lookup together with the risk’s title we will zoom in on the most recent domains and URLs used within the malware’s assaults.
Figuring out threats by particular MITRE TTPs
The MITRE ATT&CK framework is a complete information base of adversary techniques, strategies, and procedures (TTPs). Utilizing particular TTPs as a part of your investigations will help you establish rising threats. Proactively constructing your information about present threats contributes to your preparedness towards potential assaults sooner or later.
Hottest TTPs over the half 60 days displayed by ANY.RUN’s Menace Intelligence Portal |
ANY.RUN supplies a dwell rating of the preferred TTPs detected throughout hundreds of malware and phishing samples analyzed within the ANY.RUN sandbox.
Sandbox periods matching a question that includes a MITRE TTP together with a detection rule |
We are able to decide any of the TTPs and submit it for search in TI Lookup to seek out sandbox periods the place their cases have been discovered. As proven above, combining T1552.001 (Credentials in Recordsdata) with the rule “Steals credentials from Web Browsers” permits us to establish analyses of threats participating in these actions.
Gathering samples with YARA guidelines
YARA is a instrument used to create descriptions of malware households based mostly on textual or binary patterns. A YARA rule would possibly search for particular strings or byte sequences which might be attribute of a specific malware household. This method is extremely efficient for automating the detection of identified malware and for shortly figuring out new variants that share comparable traits.
Providers like TI Lookup present built-in YARA Search that permits you to add, edit, retailer, and use your customized guidelines to seek out related samples.
Search utilizing a XenoRAT YARA rule revealed over 170 matching recordsdata |
We are able to use a YARA rule for XenoRAT, a preferred malware household used for distant management and information theft, to find the most recent samples of this risk. Aside from recordsdata that match the contents of the rule, the service additionally supplies sandbox periods to discover these recordsdata in a wider context.
Discovering malware with command line artifacts and course of names
Figuring out malware by command line artifacts and course of names is an efficient however unusual method, as most sources of risk intelligence don’t present such capabilities.
ANY.RUN’s risk intelligence database stands out by sourcing information from dwell sandbox periods, providing entry to actual command line information, processes, registry modifications, and different parts and occasions recorded throughout the execution of malware within the sandbox.
TI Lookup outcomes for the command line and course of search associated to Strela stealer |
For example, we will use a command line string utilized by Strela stealer along with the web.exe course of to entry a folder on its distant server named “davwwwroot”.
TI Lookup supplies quite a few samples, recordsdata, and occasions present in sandbox periods that match our question. We are able to use the knowledge to extract extra insights into the risk we’re dealing with.
Combine Menace Intelligence Lookup from ANY.RUN
To hurry up and enhance the standard of your risk analysis efforts, you should use TI Lookup.
ANY.RUN’s risk intelligence is sourced from samples uploaded to the sandbox for evaluation by over 500,000 researchers the world over. You’ll be able to search this huge database utilizing greater than 40 search parameters.
To study extra on the way to enhance your risk investigations with TI Lookup, tune in to ANY.RUN’s dwell webinar on October 23, 02:00 PM GMT (UTC +0).