Addressing cyber threats before they have a chance to strike or cause serious damage is by far the best security approach any company can take. Achieving this requires a lot of research and active threat hunting. The problem here is that it’s easy to get stuck in endless arrays of data and not get relevant information.
To avoid this, use these five battle-tested techniques that are sure to improve your company’s threat awareness and overall security.
Search for threats targeting organizations in your region
The most basic, but very effective, way to learn about the current threat to your company is to go and see what types of attacks other organizations in your area are facing.
In most cases, threat actors attempt to target dozens of businesses simultaneously within a single campaign. This allows you to detect a threat in time and make the right adjustments to your organization.
How it contributes to your safety:
- A more targeted and effective defense strategy.
- Accurate threat prioritization.
- Optimization of resources.
How it works:
Although there are several ways to find out about the current threat in your country, ANYONE. RUN provides one of the most comprehensive and user-friendly solutions for this.
It works with a massive public database of analysis reports on the latest malware and phishing samples uploaded to the ANY.RUN sandbox by more than 500,000 security professionals worldwide.
Extensive data from each sandbox session is extracted and users can search through ANY.RUN Threat Intelligence (TI) search.. The service offers more than 40 different parameters, from IP addresses and file hashes to registry keys and mutexes, which help you accurately identify threats using the smallest indicators.
Let’s say we want to see what type of phishing threats are targeting organizations in Germany by excluding URLs from the search (using the NOT operator) because we want to focus specifically on malicious files. To do this, we can enter the following query in TI Lookup:
threatName:”phishing” AND submissionCountry:”de” NOT taskType:”url”
 |
| You can explore each sandbox session shown by TI Lookup |
In a matter of seconds, we get a list of public sandbox sessions that include phishing documents, emails and other types of content sent to ANY.RUN by users in Germany.
You can watch each session carefully for additional threat intelligence and gather invaluable information completely free of charge.
 |
| One of the sandbox sessions from TI Lookup results showing the analysis of a phishing email |
As shown in the image above, we can view the entire attack in action along with all the network and system activity recorded during the analysis.
Get a 14-day FREE trial of TI Lookup to see how it can improve your organization’s security.
Check for suspicious system and network artifacts using TI tools
On an average day, security departments in medium-sized organizations receive hundreds of alerts. Not all of them are done properly, leaving a gap that attackers can exploit. However, simply adding another layer of verification of all suspicious artifacts with TI tools can potentially save organizations from significant financial and reputational losses.
How it contributes to your safety:
- Early detection of malicious activity.
- Understanding the tactics and techniques used by attackers.
- Rapid incident response to minimize impact.
How it works:
A common scenario for security departments is dealing with unusual IP connections. Because there are so many instances where legitimate addresses generate alerts, it’s easy for some employees to become complacent and let real malicious addresses slip by.
To rule out such situations, employees can check all IP addresses in TI Lookup. Here’s an example of a possible query:
 |
| TI Lookup provides additional information for each indicator, including domains, ports, and events |
The service instantly informs us of the malicious nature of this IP address and provides additional context: the name of the threat (Agent Tesla) and the sandbox sessions where this IP address was recorded.
Similarly, security professionals can check for system events such as the use of suspicious scripts. We can turn on more than one indicator at a time to see if any of them are related to malicious activity.
Consider this query:
command line:”C:\\Users\\Public\\*.ps1″ OR command line:”C:\\Users\\Public\\*.vbs”
It is configured to search for two types of scripts: .ps1 and .vbs scripts located in a public directory.
Since we don’t know the filenames of these scripts, we can just replace them with *.
 |
| Scripts that match the request |
TI Lookup gives us a list of matching scripts found in many sandbox sessions.
 |
| List of sandbox sessions with requested scripts |
Now we can collect their names, see how they work as part of an attack, and take preventative measures based on the information revealed.
Examining threats from specific TTPs
While blocking known indicators of intrusion (IOC) is an important part of your security, they tend to change regularly. That’s why a more sustainable approach is to rely on the tactics, techniques, and procedures (TTPs) used by attackers to infect organizations in your industry.
With TI tools, you can track threats using TTPs of interest, observe their behavior, and gather invaluable information about them to improve your detection capabilities.
How it contributes to your safety:
- Detailed understanding of attackers’ methods.
- Development of specific countermeasures.
- Proactive protection against new threats.
How it works:
TI Lookup provides an actionable MITER ATT&CK matrix that includes dozens of TTPs followed by sandbox sessions that show malware and phishing threats using these techniques in action.
 |
| TI Lookup offers an effective MITER ATT&CK matrix |
It is free and available even for unregistered users. You can learn how attacks are carried out and find specific threats that use certain TTPs.
 |
| TI Lookup contains sample threats for each TTP |
The image above shows how the service provides information about T1562.001, a technique used by attackers to modify security tools and avoid detection.
The TI Lookup Center lists signatures associated with this technique that describe specific malicious activities. On the right, you can view relevant threat reports.
Tracking new threats
Threats tend to change their infrastructure and evolve as organizations adapt to their attacks. That’s why it’s vital to never lose sight of the threats that once posed a danger to your company. This can be done by getting up-to-date information on the latest cases of this threat and its new indicators.
How it contributes to your safety:
- Timely actions to eliminate emerging threats.
- Improved situational awareness for security teams.
- Better preparation for future attacks.
How it works:
TI Lookup allows you to subscribe to receive notifications about updates to specific threats, intrusion indicators, behavioral indicators, and combinations of different data points.
 |
| To receive notifications, simply enter a request and click the subscribe button |
This allows you to stay abreast of new options and evolving threats, adapting your defenses as needed in near real-time.
For example, we may subscribe to a request to receive information about new domain names and other network activity related to Lumma Stealer:
 |
| TI Lookup notifies you of new results for each subscription |
We’ll soon see new updates roll out.
 |
| TI Lookup shows new results |
Clicking on a query you subscribed to will show new results. In our case, we can observe new ports used in attacks involving Lumma.
Enrichment of information from third-party reports
Reports on the current threat landscape are an important source of information about the attacks that may be targeting your organizations. However, the information they contain can be quite limited. You can build on existing knowledge and do your own research to uncover additional details.
How it contributes to your safety:
- Providing a more complete picture of the threat landscape.
- Validate threat data.
- More informed decision-making.
How it works:
Consider this a recent attack targeting manufacturing companies with Lumma and Amadey malware. We can follow the findings outlined in the report to find more patterns related to the company.
To do this, we can combine two details: the name of the threat and the .dll file that the attackers are using:
 |
| Sandbox sessions that match the request |
TI Lookup provides dozens of matching sandbox sessions, allowing you to significantly enrich the data presented in the original report and use it to defend against this attack.
Improve and accelerate your organization’s threat detection with TI Lookup
Threat Intelligence Lookup by ANY.RUN provides centralized access to the latest threat data from publicly available malware and phishing samples.
It helps organizations:
- Proactive threat identification: Search the database to identify and update protections in a timely manner based on discovered information.
- Faster research: Accelerate threat research by quickly connecting isolated IOCs to specific threats or known malware campaigns.
- Real-time monitoring: Stay on top of evolving threats by getting updates on new findings related to the indicators you care about.
- Forensics of incidents: Improve forensic analysis of security incidents by finding contextual information about existing artifacts.
- Collection of IOC: Discover additional indicators by searching for relevant threat information in the database.
Get a 14-day free trial of TI Lookup to check out all its features and see how it can contribute to your organization’s security.
