We held a webinar on October 23: How to Enhance Threat Investigations with TI Lookup. This was a session hosted by Dmitry Marinov, CTO at ANY. RUN, that demonstrated for the audience some best practices to gather real-time threat intelligence on ҳатպիսի type.Threat Investigations with TI
Watch the Recording on Our YouTube Channel Below is a list of what we focused on and some examples of investigations produced through the loosely related series.
What is Threat Intelligence Look-up Threat Investigations with TI
Threat Intelligence (TI) Lookup: Single portal for exploratory, collection and analytic of threat data It includes updated threat information gathered from public malware and phishing examples deposited to ANY. Recent HistorySandal for RUN Interactive Sandbox last 180 days Each search request you perform will return results including added context for you in relation to the threat data included within your query.
TI Lookup has the following key features Threat Investigations with TI
Results are available for events in the past 6 months within a span of valid query time as less than 5 seconds. You can easily access detailed information about whether events are connected to a threat and how they relate to that threat.
TI Lookup guides decision-making with examples and context from thousands of other investigations, and has more than 40 search parameters. Different from other solutions that you will work only with IOCs, Lookup can search between events and YARA rules which is very useful.
Well, TI Lookup has a lot of data from the ANY. Malware analysis from RUN sandbox operated by cybersecurity analysts around the world. Every day new samples are posted and analysed, giving you information that does not exist in any other open sources.
How TI Lookup Sources Data Threat Investigations with TI
Public submissions database: an integral part of the suite. It is a huge central storage facility that stores millions of fresh malware and phishing samples on a daily basis submitted via a global community of more than 500,000 security professionals from various spheres and industries by all this clientele using ANY. RUN.
Book Of The Week: Connecting the Dots
TI Lookup has some pretty powerful features, but the biggest one is possibly its ability to connect seemingly random pieces of data together. Let’s assume you have a command line artifact and a network artifact to consider.
For example, the command line artifact may be commandLine:”timeout \/t 5 & del” which corresponds to a command that does a timeout of 5 seconds before deleting a file. For example, the network artifact can be destinationIP:”185.215.113.37″, which is an IP address that system is connecting to it.
Results produced by TI Lookup are relevant and provide immediate threat context
You can type it as commandLine:”timeout \/t 5 & del” AND destinationIP:”185.215.113.37″ that should combine these indicators into a single query and therefore allowing to zoom in on the threat you are facing.
Suspicious IP addresses discovered by the service
It gives loads of context about the service and identifies the malware as StealC. Other indicators provided relates to the malicious IPs and URLs associated with the StealC attacks.
You can always return to source, navigating to a sandbox session of your choice to see the threat in action and even replay the analysis with custom VM settings.
YARA Rules for Acquiring New Samples
One of the most useful features from TI Lookup is YARA Search. With the integrated editor, you can write, edit and store YARA rules to apply them on samples that match your…
YARA rule search database for samples from TI Lookup
Conclusion
With TI Lookup — Introduction to Threat Intelligence Cr-ux Webinar Series An example of how TI Lookup can enhance threat investigations This fast result capability, alternative search variety, real specimen access and latest data access make this tool an extremely useful item for cyber security professionals.