Combining Threat Intelligence Platforms & Sandboxes for Efficient Security Operations – A DFIR Guide

Organizations have many tools when investigating cyber threats, but two stand out: Threat Intelligence Platforms (TIPs) and sandboxes.

Each solution provides distinct advantages, yet combining their capabilities can lead to a more practical approach to detecting, analyzing, and responding to threats that can save resources and improve operations.

Let’s look at the key benefits of integrating TIPs and sandboxes for organizations. 

What Are Sandboxes? 

Sandboxes offer virtual environments intended for isolated malware analysis. Analysts use them to execute potentially malicious software without exposing their systems to the risk of infection.

Sandbox analysis aims to study malware’s operation and understand its tactics, techniques, and procedures (TTPs), which is essential for developing effective countermeasures.  

One example of such a service is ANY.RUN’s cloud-based sandbox. It allows users to upload and analyze suspicious files and URLs in fully interactive Windows and Linux virtual machines (VMs).

Analyzers can gain a complete view of malware behavior, including network traffic, system changes, and exploited vulnerabilities, and collect indicators of compromise (IOCs). 

What are Threat Intelligence Platforms? 

Threat Intelligence Platforms are searchable platforms that contain processed threat data from various sources.

By aggregating information from open-source feeds, commercial threat intelligence providers, and internal security tools, TIPs grant security teams access to insights into current cyber threats’ nature, origin, and potential impact.

The goal of using a TIP is to find additional context information on threats using existing artifacts or indicators.  

For instance, Threat Intelligence Lookup is a TIP that runs on the data collected from millions of public malware analysis sessions launched by users of the ANY.RUN sandbox.

Thanks to this, in addition to the standard indicators, such as domains and file names, the platform provides users with advanced search capabilities, enabling them to search for information across command lines, network and registry events, processes, triggered Suricata rules, etc. 

Document

ANY.RUN Threat Intelligence Lookup

Get a personalized demo of Threat Intelligence Lookup and ANY.RUN sandbox by scheduling a call 

Threat Intelligence Lookup centralized repository of millions of IOCs extracted from ANY.RUN’s extensive database of interactive malware analysis sessions..

Combining TIPs and Sandboxes for Maximized Security Efficiency 

Integrating Threat Intelligence Platforms and Sandboxes creates a robust security framework that offers several advantages: 

A Better Understanding of the Threat Landscape 

TIPs provide security teams with a wealth of information on known and emerging threats, while sandboxes offer deeper insights into malware behavior and tactics.

Thus, organizations can gain a holistic view of threats currently presenting a risk and address potential vulnerabilities. 

Faster Response to Incidents 

Sandboxes can extract IOCs that can then be correlated with a TIP’s threat intelligence database. A search can yield valuable context on the threat in the form of extra indicators and samples. In turn, this can speed up incident response, allowing security teams to set their priorities more accurately and minimize the potential damage caused by attacks. 

Ability to Proactively Hunt for Emerging Threats 

The combination of TIPs and sandboxes enables security teams to engage in proactive threat hunting, using the intelligence provided by TIPs to create customized sandbox environments to analyze potential threats. Organizations can stay one step ahead of attackers by studying the potential vulnerabilities targeted by new threats. 

Better Resource Management  

Combining TIPs and sandboxes lets organizations make more informed decisions about resource allocation, prioritizing their efforts based on the most pressing threats.

With this approach, security teams can maximize the impact of their resources, ensuring that they are deployed where they can have the most significant effect on an organization’s security posture. 

Document

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

Using a TIP and Sandbox to Identify and Analyze Remcos 

Let’s imagine you, as a cybersecurity professional, receive an alert about a suspicious network connection coming from one of the devices in your organization’s network. 

You decide to employ a threat intelligence platform to investigate it further and determine whether this situation poses any risk to the company.  

You begin your investigation by entering the currently available information about the incident, the IP address and the destination port, and configure the search to cover a period of the last seven days. 

The search query entered into Threat Intelligence Lookup  

Thus, you put together the query presented in the image above. 

Search results provided by Threat Intelligence Lookup 

The platform returns a wealth of information related to the provided indicators, including a domain which is marked as malicious by the platform, as well as additional IPs, events, and files. 

Sandbox tasks found by Threat Intelligence Lookup 

Most importantly, the platform provides 95 malware analysis sessions (tasks) from the ANY.RUN sandbox where the IP and port were used, all of which have the Remcos tag that indicates the known remote access trojan (RAT). 

A Remcos analysis session opened in the ANY.RUN sandbox 

Thanks to the direct integration of the platform with the sandbox, you can explore any of these tasks further and study the execution process of Remcos, view details such as the TTPs used by attackers, network and registry activity, processes, and even the configuration of the malware. 

As a result, you successfully and quickly identify the malware family present on your organization’s network and collect extensive information on it by using the combination of the two tools, facilitating further response. 

Try Threat Intelligence Lookup and ANY.RUN Sandbox 

Threat investigations and malware analysis can be fast, simple, and affordable. Just let ANY.RUN show you how. 

Test all features of Threat Intelligence Lookup and ANY.RUN’s interactive sandbox as part of a personalized demo for your SOC/DFIR team.  You can schedule a call. 

Cyber Writes
Work done by a Team Of Security Experts from Cyber Writes (www.cyberwrites.com) - World’s First Dedicated Content-as-a-Service (CaaS) Platform for Cybersecurity. For Exclusive Cyber Security Contents, Reach at: business@cyberwrites.com