A cyber security operations center nowadays can be compared to a military headquarters. Although defense-oriented, it needs intelligence no less than those weaponized guys.

Cyber Threat Intelligence: the Essence and the Levels

Cyber threat intelligence (CTI) implies gathering, processing, analyzing, and disseminating information about cyber threats — but most importantly, using it for decision-making and planning regarding organizational security.

CTI is often categorized into tiers based on the purpose, depth, and audience:

1. Technical Threat Intelligence provides detailed technical data on specific indicators of compromise (IOCs): IP addresses, domains, file hashes, malware signatures.
2. Operational Threat Intelligence delivers actionable insights on ongoing or imminent threats to guide security operations.
3. Tactical Threat Intelligence is responsible for understanding adversaries’ tactics, techniques, and procedures (TTPs) to support security controls and policies.
4. Strategic Threat Intelligence focuses on high-level trends and the broader threat landscape to support long-term decision-making and planning.

How Threat Intelligence Enhances SOC’s Operations

• Fast and thorough threat detection: fresh IOCs enable security tools like firewalls, antiviruses, IDSes to pinpoint suspicious activities in real time. TTPs can help in crafting rules or models for anomaly detection to spot new attacks that do not match known signatures.
• Alert triage: TI delivers context around alerts, helping SOC teams to prioritize incidents based on the severity, likelihood of exploitation, and potential impact.
• Proactive defense: understanding the methods of adversaries through intelligence lets SOCs block known malicious IPs, domains, or file hashes before they are used in attacks.
• Vulnerability Management: Intelligence can guide patch management priorities, ensuring critical systems are secured before attackers can exploit them.
• Optimal Incident Response (IR): Understanding of a threat promises a quicker and more precise reaction. Threat intelligence aids in attributing attacks to specific threat actors or groups, which is also useful for legal actions or for understanding the broader threat landscape.
• Risk Assessment: Intelligence helps define which threats are most relevant to the business based on the industry or specific technologies in use.

Advanced CTI solutions like Threat Intelligence Lookup from ANY.RUN can be engaged in all the tasks related to threat data processing. Let’s see how it can help in practice.

1. Proactive Defense

Threat Intelligence Lookup supports over 40 search parameters to navigate an extensive database of threat samples submitted by over 500,000 security experts. It enables collecting attack indicators to update SIEM, firewall, and EDR rules for providing early detection and automated blocking of known threats before they penetrate the network.

How it works: suppose we know that organizations in our region are being targeted with the AsyncRAT malware. We can compose a TI Lookup search request consisting of the malware name, country code, and the parameter that would sort out malicious domains:

threatName:”AsyncRAT” AND submissionCountry:”co” AND domainName:””

Domains spotted in recent AsyncRAT incidents

The result is a list of domains used in AsyncRAT’s attacks and a recent selection of such attack samples submitted by the users of ANY.RUN’s Interactive Sandbox.

Analyses of AsyncRAT attacks from Interactive Sandbox

Every sandbox task can be viewed to understand the malware’s behavior and harvest additional IOCs.

2. Alert Triage

Evaluating security alerts to determine their severity and potential impact is crucial for optimal resource allocation, setting up detection and response, and saving SOC teams from alert fatigue.

TI Lookup allows fast and precise evaluation of potential IOCs. For example, we can check a suspicious IP that triggered alert and find out that it belongs to a known malware’s infrastructure:

IP apperars to be used by Smokeloader malware

3. Incident Response

Threat Intelligence Lookup is the source of contextual information on threat artifacts that is essential for quick and adequate reaction.

For example, an incident gets detected but only a couple of suspicious mutexes are available as indicators of compromise. TI Lookup is the tool to research these mutexes with a single request:

Mutexes search results: they are part of BugSleep backdoor

(syncObjectName:”PackageManager” or syncObjectName:”DocumentUpdater”) and syncObjectOperation:”Create”

BugSleep detonated in the sandbox: how an attack starts

The results signal that the mutexes belong to BugSleep, a backdoor utilized by a well-known APT group MuddyWater. Instantly you can find sandbox reports with BugSleep in action, see how the attack unfolds and apply the information for the incident response:

4. Threat Hunting

Ti Lookup is indispensable in searching for hidden threats to improve security. For example, Latrodectus downloader is known to drop the copy of itself under the “%AppData%\Custom_update\” path. We can leverage that knowledge to create a query that looks for command lines containing that path:

commandLine:”C:\\Users\\admin\\AppData\\Roaming\\Custom_update”

Results of the search for a specific file path within the command line

At the Synchronization tab, we notice the mutex “runnung” being used, so we can also research it to look for Latrodectus samples.

Leveraging the mutex finding to find Latrodectus samples

 Thus, TI Lookup helps hunt even sophisticated malware that avoids being detected by more common IOCs and lets analyze anomalities that could be missed by automated systems while identifying a potential threat.

Conclusion

SOC teams profit immensely from employing a high-end threat intelligence solution like TI Lookup. It empowers their operations in line with the key business goals, providing robust cyber defence, comprehensive threat landscape understanding, optimal resource allocation, and operational stability.