How to Improve Cyber Threat Investigations with TI Lookup

On October 23, we hosted a webinar “Strategies to Improve Menace Investigations with TI Lookup”. The session was led by Dmitry Marinov, CTO at ANY.RUN, who confirmed the viewers environment friendly methods for gathering the latest menace intelligence.

You probably can strive the recording on our YouTube channel. Here is a quick rundown of the precept topics and examples of investigations lined via the event.

What’s Menace Intelligence Lookup

Menace Intelligence (TI) Lookup is a centralized service for menace data exploration, assortment, and analysis. It accommodates current menace data extracted from public malware and phishing samples uploaded to ANY.RUN’s Interactive Sandbox over the earlier 180 days. Each search request you make returns outcomes that current expanded context related to the menace data in your query.

Key choices of TI Lookup embody:

• Search outcomes take merely 5 seconds for events spanning the ultimate six months. You probably can quickly get in-depth particulars about how events work, whether or not or not they’re linked to a menace, and the best way they’re related to that menace.

• With over 40 search parameters, TI Lookup provides examples and context from completely different investigations to help with decision-making. In distinction to completely different choices the place you can work solely with IOCs, Lookup can search amongst events and YARA tips, which is awfully helpful.

• TI Lookup has a substantial quantity of information from the ANY.RUN sandbox, the place cybersecurity analysts from everywhere in the world analyze threats. New samples are uploaded and analyzed every day, providing data that you just cannot uncover in another open sources.

How TI Lookup Sources Data

A core factor of the suite is the Public submissions database. It is an enormous repository that houses tens of tens of millions of distinctive malware and phishing samples submitted every day by a worldwide neighborhood of over 500,000 security professionals from completely completely different spheres and industries using ANY.RUN.

Every time a shopper runs a public analysis throughout the sandbox, the strategies seize the necessary factor data from that analysis. This data is then immediately despatched to Menace Intelligence Lookup. In consequence, Menace Intelligence Lookup turns right into a centralized hub the place you can search by the use of menace data extracted from tens of tens of millions of malware and phishing analysis intervals launched throughout the ANY.RUN sandbox.

How TI Lookup Works

Let’s say we want to collect the latest domains utilized by menace actors that profit from Lumma, a notorious malware infostealer.

To do this, we’re capable of submit the subsequent search request:

• The first part of the query, threatName:”lumma”instructs the search engine to look out sandbox intervals the place Lumma was detected.

• The second part of the query, domainName:””tells the system to retrieve all domains acknowledged in these sandbox intervals. The empty topic principally acts as a wildcard, indicating that you simply’re contemplating all domains associated to the menace.

The service returns fairly just a few domains that match our request. On the prime, you can see domains with the malconf tag, which tells you that these domains have been extracted straight from the configs of Lumma samples, primarily essentially the most reliable provide of indicators of compromise. We’re capable of merely copy each indicator or receive all of them in JSON format.

As you can see, aside from domains, the service moreover provides quite a few different types of indicators, along with events, recordsdata, URLs, and others. That’s one amongst TI Lookup’s distinctive advantages – the number of info it provides.

Use Circumstances of TI Lookup

To indicate how TI Lookup will be utilized in real-world investigations, Dmitry outlined numerous use circumstances the place the service might be considerably useful.

Checking a Suspicious IP Sort out

One of many straightforward use circumstances is determining threats using a suspicious IP take care of. As an illustration, for individuals who receive an alert just a few connection to a suspicious IP take care of (e.g., 162[.]254[.]34[.]31) coming from certainly one of many machines in your group, TI Lookup can quickly check if this IP take care of has been utilized in numerous malware assaults.

By stepping into the query destinationIP:”162.254.34.31″, the service identifies the IP take care of as malicious and hyperlinks it to AgentTesla.

It moreover provides related indicators, along with processes, recordsdata, and most importantly, sandbox intervals the place you can see the analysis of exact assaults and collect additional data.

Determining a Malware Family Using a Mutex

One different means to utilize TI Lookup is to find out a menace via the usage of distinctive indicators paying homage to mutexes. As an illustration, you must make the most of mutexes to find out the Remcos malware.

By stepping into the query syncObjectName:”RMC-“, the service reveals explicit mutexes and provides a listing of sandbox intervals to find the menace extra.

Uncovering a Menace Using a File Path

Chances are you’ll as properly uncover threats using a file path.

As an illustration, a look for filePath:”Start MenuPackagesStartup{*}.lnk” reveals that this file path has been observed in intervals that features the DarkVision RAT.

This allows you to see the context and related sandbox intervals for extra investigation.

Connecting Unrelated Data Elements

One of many extremely efficient choices of TI Lookup is its capability to connect objects of knowledge which is able to seem unrelated. Take into consideration a state of affairs the place you have bought a command line artifact and a group artifact.

The command line artifact could also be commandLine:”timeout /t 5 & del”, which signifies a command that delays execution for 5 seconds after which deletes a file. The group artifact could also be destinationIP:”185.215.113.37″which represents an IP take care of that the system is talking with.

By combining these indicators proper right into a single query, commandLine:”timeout /t 5 & del” AND destinationIP:”185.215.113.37″, you can zoom in on the menace you’re dealing with.

The service provides a great deal of context and reveals that the malware in question is StealC. A number of of the additional indicators supplied embody malicious IPs and URLs, which have been utilized in StealC assaults.

You probably can on a regular basis return to the provision by navigating to a sandbox session of your curiosity to have a look at the menace’s habits, and even rerun the analysis using your particular person VM settings.

Amassing Modern Samples with YARA Tips

One different useful perform of TI Lookup is YARA Search. Because of the built-in editor, you can create, edit, retailer, and use YARA tips to look out samples that match them.

As an illustration, using a YARA rule for AgentTesla, which is in the marketplace by default in TI Lookup, the search returns fairly just a few recordsdata that could be filtered by date. You probably can uncover each finish in factor by clicking on them and navigating to the sandbox session the place it was detected.

Chances are you’ll as properly receive a JSON file containing file hashes along with hyperlinks to corresponding sandbox intervals.

Conclusion

The webinar gave an in depth take a look at TI Lookup, exhibiting the best way it could possibly help improve menace investigations. The instrument’s capability to provide fast outcomes, provide a wide range of search decisions, and offers entry to precise samples and the latest data makes it very useful for cybersecurity professionals.

Preserve tuned for additional webinars from ANY.RUN by following us on social media like XFb, and Discord.

About ANY.RUN

ANY.RUN helps larger than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target every Residence home windows and Linux strategies. Our menace intelligence merchandise, TI Lookup, YARA Search and Feeds, can help you uncover IOCs or recordsdata to review additional regarding the threats and reply to incidents sooner.

With ANY.RUN you can:

• Detect malware in seconds
• Work along with samples in precise time
• Save time and cash on sandbox setup and maintenance
• File and look at all aspects of malware habits
• Collaborate collectively along with your workforce
• Scale as you need

Request free trial of ANY.RUN’s merchandise →