Cyber attackers these days are getting smarter and sneakier. They’re using advanced techniques to break into systems or steal sensitive data, making it harder than ever to detect and analyze emerging threats. This is why cybersecurity analysts are also stepping up their game, using advanced tools and services like ANY.RUN’s Threat Intelligence (TI) Lookup.
With these services, cybersecurity professionals can access a wealth of information about specific threats and dive into real-world examples to uncover and neutralize these tricky attacks.
Let’s explore how analysts use services like TI Lookup to investigate emerging threats more effectively and efficiently.
Why Analysts Use TI Lookup for Threat Investigations
TI Lookup is a real game changer for analysts, as it offers a central hub of detailed threat data to streamline malware investigations. This data is gathered from millions of malware analysis sessions conducted in the ANY.RUN’s interactive sandbox. With over 40 customizable search parameters, analysts can uncover relevant threat data with precision and flexibility.
Try TI Lookup with a free trial and get a Black Friday offer to double your search requests
Here’s how it helps:
1. Enhanced Threat Identification
TI Lookup gives analysts access to an extensive database of IPs, domains, file names, process artifacts, and more. This wealth of information ensures they can quickly identify and connect Indicators of Compromise (IOCs) to known malware campaigns or emerging threats.
2. Powerful and Flexible Search Options
The advanced search options allow users to tailor their investigations with highly customizable parameters:
- Single IOC searches: Analysts can quickly find specific URLs, file hashes, IPs, or domain names.
- Event fields: They analyze logged activities such as registry paths, process names, and command lines.
- Combined search: With TI Lookup, it’s easy to dive into the malware lifecycle by correlating IOCs across infection stages in the same session.
- Wildcard queries: Analysts can use partial information to uncover hidden connections when dealing with incomplete threat data.
3. Fully Interactive Analysis inside Cloud Environment
One of the key benefits of TI Lookup is its integration with a fully interactive cloud-based malware sandbox, setting it apart from traditional automated tools. This interactivity empowers analysts to investigate malware in real-time, directly engaging with malicious files and processes.
This interactive feature is powered by over 14,000 daily analysis sessions run by ANY.RUN’s global community of 500,000+ researchers, constantly updating the Threat Intelligence Database with real-world data.
How Analysts Investigate Emerging Threats Using TI Lookup
Cybersecurity analysts use tools like ANY.RUN’s TI Lookup to find and connect important details when investigating new and evolving threats.
Here are three real-world examples that demonstrate how the tool is used to stay ahead of attackers:
Checking suspicious IP addresses
One of the common ways analysts use TI Lookup is to investigate suspicious IP addresses flagged by network alerts.
For instance, if a machine in the network connects to an IP like 162[.]254[.]34[.]31, analysts can use TI Lookup to check if the IP has been involved in malware activity.
By entering the query:
Search query: destinationIP:”162.254.34.31″
The tool identifies the IP as malicious and links it to the AgentTesla malware family. TI Lookup doesn’t just confirm the threat, it also provides related details such as processes, files, and even sandbox sessions where this IP was previously detected.
Identifying a Malware Family
Analysts can also use TI Lookup to identify malware by searching for unique indicators like mutexes. For example, the Remcos malware creates specific synchronization objects (mutexes) that can be used to trace its activity.
By entering the query:
Search query: syncObjectName:”RMC-“
TI Lookup retrieves a list of mutexes associated with Remcos and provides access to related sandbox sessions.
Identifying Malware Using a File Path
Sometimes a suspicious file path can be the key to identifying malware. For example, analysts can investigate the following path:
Search query: filePath:”\\Start Menu\\Programs\\Startup\\{*}.lnk”.
This query connects the file path to DarkVision RAT and reveals related sandbox sessions. Analysts can access additional context, such as triggered IDS rules and sandbox data, to understand how the malware operates and what actions it performs during execution.
Black Friday Exclusive: Double Your TI Lookup Search Requests
ANY.RUN’s TI Lookup provides instant access to threat intelligence, helping you get context on malware and phishing campaigns and enrich your investigations with relevant samples, domains, and other indicators with ease.