Global Threat Intelligence

Global threat intelligence (GTI) is crucial for cybersecurity as it offers real-time data on emerging and persistent cyber threats worldwide.

Threats can originate anywhere, so understanding regional variations is essential. 

For example, North Korean actors target government infrastructure, while Eastern Europe is a hub for Ransomware-as-a-Service (RaaS) like LockBit.

SIEM as a Service

Organizations must leverage GTI from various sources beyond their local region to comprehensively view the global threat landscape.

ANY.RUN’s global map of sample submissions  
ANY.RUN’s global map of sample submissions  

A threat intelligence source should pull data from international organizations worldwide to comprehensively understand global cyber threats.

In contrast, monitoring allows them to track threats, malware campaigns, and other malicious activity that can impact organizations anywhere.  

Ultimately, a source is needed that provides Indicators of Compromise (IOCs) and event details that can identify a compromised system.

The IOCs could be IP addresses, domain names, file fingerprints, network traffic patterns, or even specific commands used by malware. 

According to ANY.RUN global threat intelligence considered the report; the following sources should be included.

Comprehensive data sources Global threat intelligence relies on collecting data from sources around the world, and the more international organizations from different countries and regions contribute to the data source the more holistic picture it will be able to provide.  
Global monitoring It involves monitoring cyber threats, malware campaigns, and other malicious activities that transcend geographical boundaries and have the potential to impact organizations worldwide.  
Global IOCs and event fields The data source should provide access to artifacts or patterns that indicate a system has been compromised or is under attack, like IP addresses, domain names, file hashes, patterns of network traffic, or CMD to PowerShell commands associated with known malware.  

Global Threat Intelligence in ANY.RUN 

ANY.RUN offers a cloud-based malware sandbox for security teams to analyze suspicious files, detect malware within 40 seconds, and identify malware families using built-in rules. 

Unlike automated sandboxes, it allows interactive analysis in a virtual machine to uncover zero-day exploits.

As a cloud solution, it reduces setup and maintenance costs, and its user-friendly interface simplifies onboarding for security analysts.

ANY.RUN offers threat intelligence solutions that cover technical, tactical, and operational aspects on a global scale. 

Their data source is comprehensive, providing insights into indicators of compromise, attacker techniques, and the types of malware being used globally. This allows for the analysis of potential threats, understanding of how attacks might unfold, and identification of specific malicious elements to monitor. 

ANY.RUN’s online sandbox interface 
ANY.RUN’s online sandbox interface 

The interactive sandbox environment allows malware researchers to analyze suspicious files in a cloud-based virtual machine quickly.

The sandbox captures detailed data about the file’s behavior, including file and registry changes, loaded modules, network connections, and more. 

The data is stored along with Indicators of Compromise (IOCs) extracted from the analysis, and users can utilize the data in two ways: subscribing to threat intelligence feeds delivers fresh IOCs in a standardized format.

At the same time, the lookup portal allows searching for specific indicators and linking them to potential malware families based on historical analysis data. 

The rich collection of IOCs and related events provides valuable context for security professionals investigating potential threats. 

Example of Global Threat Intelligence in ANY.RUN 

ANY.RUN extracts C2 server locations from analyzed malware and displays them on a global map within their Threat Intelligence Lookup portal. 

Filter C2 locations by country or by threat name 
Filter C2 locations by country or by threat name 

The map allows users to filter threats by location or family to identify communication patterns and techniques (MITRE ATT&CK) used by different malware families worldwide. 

Hover over any location to bring up a list of IPs 
Hover over any location to bring up a list of IPs 

Users can access granular details like IP addresses associated with those threats by hovering over specific locations. 

The information empowers users to configure security measures (WAFs) to block malicious traffic and enrich incident reports with threat identifiers for improved analysis.  

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.