What is Global Threat Intelligence? – SOC/DFIR Team Guide

Global threat intelligence (GTI) is crucial for cybersecurity as it offers real-time data on emerging and persistent cyber threats worldwide.

Threats can originate anywhere, so understanding regional variations is essential. 

For example, North Korean actors target government infrastructure, while Eastern Europe is a hub for Ransomware-as-a-Service (RaaS) like LockBit.

Organizations must leverage GTI from various sources beyond their local region to comprehensively view the global threat landscape.

A threat intelligence source should pull data from international organizations worldwide to comprehensively understand global cyber threats.

In contrast, monitoring allows them to track threats, malware campaigns, and other malicious activity that can impact organizations anywhere.  

Ultimately, a source is needed that provides Indicators of Compromise (IOCs) and event details that can identify a compromised system.

The IOCs could be IP addresses, domain names, file fingerprints, network traffic patterns, or even specific commands used by malware. 

According to ANY.RUN global threat intelligence considered the report; the following sources should be included.

Comprehensive data sources	Global threat intelligence relies on collecting data from sources around the world, and the more international organizations from different countries and regions contribute to the data source the more holistic picture it will be able to provide.
Global monitoring	It involves monitoring cyber threats, malware campaigns, and other malicious activities that transcend geographical boundaries and have the potential to impact organizations worldwide.
Global IOCs and event fields	The data source should provide access to artifacts or patterns that indicate a system has been compromised or is under attack, like IP addresses, domain names, file hashes, patterns of network traffic, or CMD to PowerShell commands associated with known malware.

Global Threat Intelligence in ANY.RUN

ANY.RUN offers a cloud-based malware sandbox for security teams to analyze suspicious files, detect malware within 40 seconds, and identify malware families using built-in rules. 

Unlike automated sandboxes, it allows interactive analysis in a virtual machine to uncover zero-day exploits.

As a cloud solution, it reduces setup and maintenance costs, and its user-friendly interface simplifies onboarding for security analysts.

ANY.RUN offers threat intelligence solutions that cover technical, tactical, and operational aspects on a global scale. 

Their data source is comprehensive, providing insights into indicators of compromise, attacker techniques, and the types of malware being used globally. This allows for the analysis of potential threats, understanding of how attacks might unfold, and identification of specific malicious elements to monitor. 

The interactive sandbox environment allows malware researchers to analyze suspicious files in a cloud-based virtual machine quickly.

The sandbox captures detailed data about the file’s behavior, including file and registry changes, loaded modules, network connections, and more. 

The data is stored along with Indicators of Compromise (IOCs) extracted from the analysis, and users can utilize the data in two ways: subscribing to threat intelligence feeds delivers fresh IOCs in a standardized format.

At the same time, the lookup portal allows searching for specific indicators and linking them to potential malware families based on historical analysis data. 

The rich collection of IOCs and related events provides valuable context for security professionals investigating potential threats. 

Example of Global Threat Intelligence in ANY.RUN

ANY.RUN extracts C2 server locations from analyzed malware and displays them on a global map within their Threat Intelligence Lookup portal. 

The map allows users to filter threats by location or family to identify communication patterns and techniques (MITRE ATT&CK) used by different malware families worldwide. 

Users can access granular details like IP addresses associated with those threats by hovering over specific locations. 

The information empowers users to configure security measures (WAFs) to block malicious traffic and enrich incident reports with threat identifiers for improved analysis.  

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.