Organizations have many tools when investigating cyber threats, but two stand out: Threat Intelligence Platforms (TIPs) and sandboxes.
Each solution provides distinct advantages, yet combining their capabilities can lead to a more practical approach to detecting, analyzing, and responding to threats that can save resources and improve operations.
Let’s look at the key benefits of integrating TIPs and sandboxes for organizations.
Sandboxes offer virtual environments intended for isolated malware analysis. Analysts use them to execute potentially malicious software without exposing their systems to the risk of infection.
Sandbox analysis aims to study malware’s operation and understand its tactics, techniques, and procedures (TTPs), which is essential for developing effective countermeasures.
One example of such a service is ANY.RUN’s cloud-based sandbox. It allows users to upload and analyze suspicious files and URLs in fully interactive Windows and Linux virtual machines (VMs).
Analyzers can gain a complete view of malware behavior, including network traffic, system changes, and exploited vulnerabilities, and collect indicators of compromise (IOCs).
Threat Intelligence Platforms are searchable platforms that contain processed threat data from various sources.
By aggregating information from open-source feeds, commercial threat intelligence providers, and internal security tools, TIPs grant security teams access to insights into current cyber threats’ nature, origin, and potential impact.
The goal of using a TIP is to find additional context information on threats using existing artifacts or indicators.
For instance, Threat Intelligence Lookup is a TIP that runs on the data collected from millions of public malware analysis sessions launched by users of the ANY.RUN sandbox.
Thanks to this, in addition to the standard indicators, such as domains and file names, the platform provides users with advanced search capabilities, enabling them to search for information across command lines, network and registry events, processes, triggered Suricata rules, etc.
Threat Intelligence Lookup centralized repository of millions of IOCs extracted from ANY.RUN’s extensive database of interactive malware analysis sessions..
Integrating Threat Intelligence Platforms and Sandboxes creates a robust security framework that offers several advantages:
TIPs provide security teams with a wealth of information on known and emerging threats, while sandboxes offer deeper insights into malware behavior and tactics.
Thus, organizations can gain a holistic view of threats currently presenting a risk and address potential vulnerabilities.
Sandboxes can extract IOCs that can then be correlated with a TIP’s threat intelligence database. A search can yield valuable context on the threat in the form of extra indicators and samples. In turn, this can speed up incident response, allowing security teams to set their priorities more accurately and minimize the potential damage caused by attacks.
The combination of TIPs and sandboxes enables security teams to engage in proactive threat hunting, using the intelligence provided by TIPs to create customized sandbox environments to analyze potential threats. Organizations can stay one step ahead of attackers by studying the potential vulnerabilities targeted by new threats.
Combining TIPs and sandboxes lets organizations make more informed decisions about resource allocation, prioritizing their efforts based on the most pressing threats.
With this approach, security teams can maximize the impact of their resources, ensuring that they are deployed where they can have the most significant effect on an organization’s security posture.
Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:
If you want to test all these features now with completely free access to the sandbox:
Let’s imagine you, as a cybersecurity professional, receive an alert about a suspicious network connection coming from one of the devices in your organization’s network.
You decide to employ a threat intelligence platform to investigate it further and determine whether this situation poses any risk to the company.
You begin your investigation by entering the currently available information about the incident, the IP address and the destination port, and configure the search to cover a period of the last seven days.
Thus, you put together the query presented in the image above.
The platform returns a wealth of information related to the provided indicators, including a domain which is marked as malicious by the platform, as well as additional IPs, events, and files.
Most importantly, the platform provides 95 malware analysis sessions (tasks) from the ANY.RUN sandbox where the IP and port were used, all of which have the Remcos tag that indicates the known remote access trojan (RAT).
Thanks to the direct integration of the platform with the sandbox, you can explore any of these tasks further and study the execution process of Remcos, view details such as the TTPs used by attackers, network and registry activity, processes, and even the configuration of the malware.
As a result, you successfully and quickly identify the malware family present on your organization’s network and collect extensive information on it by using the combination of the two tools, facilitating further response.
Threat investigations and malware analysis can be fast, simple, and affordable. Just let ANY.RUN show you how.
Test all features of Threat Intelligence Lookup and ANY.RUN’s interactive sandbox as part of a personalized demo for your SOC/DFIR team. You can schedule a call.
INTERPOL has called for the term "romance baiting" to replace "pig butchering," a phrase widely…
Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT," which…
A new cyber campaign by the advanced persistent threat (APT) group Earth Koshchei has brought…
Recent research has linked a series of cyberattacks to The Mask group, as one notable…
RiseLoader, a new malware family discovered in October 2024, leverages a custom TCP-based binary protocol…
GFI Software's Kerio Control, a popular UTM solution, was found to be vulnerable to multiple…