Addressing cyber threats before they have a chance to strike or inflict serious damage is by far the best security approach any company can embrace. Achieving this takes a lot of research and proactive threat hunting. The problem here is that it is easy to get stuck in endless arrays of data and end up with no relevant intel.
To avoid this, use these five battle-tested techniques that are certain to improve your company’s threat awareness and overall security.
The most basic, yet high-impact way to learn about the current threat landscape for your company is to go and see what type of attacks other organizations in your region are experiencing.
In most cases, threat actors attempt to target dozens of businesses at the same time as part of a single campaign. This makes it possible to catch the threat early and make correct adjustments in your organization.
While there are several ways to find out about the current threat landscape in your country, ANY.RUN provides one of the most comprehensive and user-friendly solutions for this.
It runs a massive public database of analysis reports on the latest malware and phishing samples, which are uploaded to ANY.RUN’s sandbox by over 500,000 security professionals worldwide.
Extensive data from each sandbox session is extracted and can be searched through by users via ANY.RUN’s Threat Intelligence (TI) Lookup. The service offers over 40 different parameters, from IP addresses and file hashes to registry keys and mutexes, helping you pinpoint threats using the smallest indicators with accuracy.
Say we want to see what type of phishing threats are targeting organizations in Germany, while excluding URLs from the search (using the NOT operator), as we wish to focus on malicious files specifically. To do this, we can type the following query into TI Lookup:
In seconds, we get a list of public sandbox sessions which include phishing documents, emails, and other types of content submitted to ANY.RUN by users in Germany.
You can observe each session closely completely for free to gain additional insights into the threats and collect invaluable intelligence.
As shown in the image above, we can view the entire attack in action along with all network and system activities recorded during the analysis.
On an average day, security departments at mid-size organizations get hundreds of alerts. Not all of them are properly followed through, which leaves a gap for attackers to exploit. Yet, simply adding one more layer of verifying all the suspicious artifacts with TI tools can potentially save organizations from considerable financial and reputational losses.
A common scenario for security departments is dealing with unusual IP connections. Since there are many instances of legitimate addresses generating alerts, it’s easy for some employees to get complacent and let actual malicious ones slip off the hook.
To eliminate such situations, employees can check all IP addresses in TI Lookup. Here is an example of possible query:
The service instantly notifies us about the malicious nature of this IP and supplies more context: the name of the threat (Agent Tesla) and sandbox sessions where this IP was recorded.
Similarly, security professionals can check system events like the use of suspicious scripts. We can include more than one indicator at the same time, to see if any of them is linked to malicious activities.
Consider this query:
It is set up to look for two types of scripts: .ps1 and .vbs format scripts that are placed in the Public directory.
Since we do not know the file names of these scripts, we can simply replace them with the * wildcard.
TI Lookup provides us with a list of matching scripts, found across numerous sandbox sessions.
Now, we can collect their names, see how they work as part of an attack, and take preventive measures based on the discovered intel.
While blocking known indicators of compromise (IOCs) is an important element of your security, they tend to change regularly. That is why a more sustainable approach is to rely on tactics, techniques, and procedures (TTPs) used by attackers to infect organizations in your industry.
With TI tools, you can track threats that use TTPs of your interest, observe their behavior, and gather invaluable information on them to enhance your company’s detection capabilities.
TI Lookup provides an actionable MITRE ATT&CK matrix, which includes dozens of TTPs, which are accompanied by sandbox sessions featuring malware and phishing threats using these techniques in action.
It is free and available even to unregistered users. You can explore how attacks are carried out and find specific threats that employ particular TTPs.
The image above shows how the service provides information on T1562.001, a technique used by attackers to modify security tools and avoid detection.
In the center, TI Lookup lists signatures related to this technique which describe specific malicious activities. On the right, you can explore reports on relevant threats.
Threats tend to change their infrastructure and evolve, as organizations adjust to their attacks. That is why it is vital to never lose track of the threats that once posed a risk to your company. This can be done by getting up-to-date information on the latest instances of this threat and its new indicators.
TI Lookup allows you to subscribe to receive notifications about updates on specific threats, indicators of compromise, indicators of behavior, as well as combinations of different data points.
This lets you stay aware of new variants and evolving threats, adapting your defenses as needed almost in real time.
For instance, we can subscribe to a query to receive information on new domain names and other network activities related to the Lumma Stealer:
Soon, we’ll see how new updates start appearing.
By clicking on the subscribed query, the new results will be displayed. In our case, we can observe new ports used in attacks involving Lumma.
Reports on the current threat landscape are an essential source of intelligence on attacks that may target your organizations. Yet, the information they contain may be quite limited. You can build on the existing knowledge and do your own research to uncover additional details.
Consider this recent attack targeting manufacturing companies with Lumma and Amadey malware. We can follow up on the findings outlined in the report to find more samples related to the campaign.
To do this, we can combine two details: the name of the threat and a .dll file used by attackers:
TI Lookup provides dozens of matching sandbox sessions, allowing you to significantly enrich the data provided in the original report and use it to inform your defenses against this attack.
ANY.RUN’s Threat Intelligence Lookup provides centralized access to the latest threat data from public malware and phishing samples.
It helps organizations with:
Get a 14-day free trial of TI Lookup to test all of its capabilities and see how it can contribute to your organization’s security.