What is Global Threat Intelligence? – SOC/DIFR Team Guide

Global threat intelligence (GTI) is crucial for cybersecurity as it offers real-time data on emerging and persistent cyber threats worldwide.

Threats can originate anywhere, so understanding regional variations is essential. 

For example, North Korean actors target government infrastructure, while Eastern Europe is a hub for Ransomware-as-a-Service (RaaS) like LockBit.

Organizations must leverage GTI from various sources beyond their local region to comprehensively view the global threat landscape.

What is Global Threat Intelligence? – SOC/DIFR Team Guide
ANY.RUN’s global map of sample submissions  

A threat intelligence source should pull data from international organizations worldwide to comprehensively understand global cyber threats.

In contrast, monitoring allows them to track threats, malware campaigns, and other malicious activity that can impact organizations anywhere.  

Ultimately, a source is needed that provides Indicators of Compromise (IOCs) and event details that can identify a compromised system.


Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

  • Real-time Detection
  • Interactive Malware Analysis
  • Easy to Learn by New Security Team members
  • Get detailed reports with maximum data
  • Set Up Virtual Machine in Linux & all Windows OS Versions
  • Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

The IOCs could be IP addresses, domain names, file fingerprints, network traffic patterns, or even specific commands used by malware. 

According to ANY.RUN global threat intelligence considered the report; the following sources should be included.

Comprehensive data sources  Global threat intelligence relies on collecting data from sources around the world, and the more international organizations from different countries and regions contribute to the data source the more holistic picture it will be able to provide.  
Global monitoring  It involves monitoring cyber threats, malware campaigns, and other malicious activities that transcend geographical boundaries and have the potential to impact organizations worldwide.  
Global IOCs and event fields  The data source should provide access to artifacts or patterns that indicate a system has been compromised or is under attack, like IP addresses, domain names, file hashes, patterns of network traffic, or CMD to PowerShell commands associated with known malware.  

Global Threat Intelligence in ANY.RUN 

ANY.RUN offers a cloud-based malware sandbox for security teams to analyze suspicious files, detect malware within 40 seconds, and identify malware families using built-in rules. 

Unlike automated sandboxes, it allows interactive analysis in a virtual machine to uncover zero-day exploits.

As a cloud solution, it reduces setup and maintenance costs, and its user-friendly interface simplifies onboarding for security analysts.

ANY.RUN offers threat intelligence solutions that cover technical, tactical, and operational aspects on a global scale. 

Their data source is comprehensive, providing insights into indicators of compromise, attacker techniques, and the types of malware being used globally. This allows for the analysis of potential threats, understanding of how attacks might unfold, and identification of specific malicious elements to monitor. 

ANY.RUN’s online sandbox interface 
ANY.RUN’s online sandbox interface 

The interactive sandbox environment allows malware researchers to analyze suspicious files in a cloud-based virtual machine quickly.

The sandbox captures detailed data about the file’s behavior, including file and registry changes, loaded modules, network connections, and more. 


Are you from SOC and DFIR Teams?

Integrate ANY.RUN in your workplace.

Sign up and start using the interactive malware sandbox for free.

The data is stored along with Indicators of Compromise (IOCs) extracted from the analysis, and users can utilize the data in two ways: subscribing to threat intelligence feeds delivers fresh IOCs in a standardized format.

At the same time, the lookup portal allows searching for specific indicators and linking them to potential malware families based on historical analysis data. 

The rich collection of IOCs and related events provides valuable context for security professionals investigating potential threats. 

Example of Global Threat Intelligence in ANY.RUN 

ANY.RUN extracts C2 server locations from analyzed malware and displays them on a global map within their Threat Intelligence Lookup portal. 

Filter C2 locations by country or by threat name 
Filter C2 locations by country or by threat name 

The map allows users to filter threats by location or family to identify communication patterns and techniques (MITRE ATT&CK) used by different malware families worldwide. 

Hover over any location to bring up a list of IPs 
Hover over any location to bring up a list of IPs 

Users can access granular details like IP addresses associated with those threats by hovering over specific locations. 

The information empowers users to configure security measures (WAFs) to block malicious traffic and enrich incident reports with threat identifiers for improved analysis.  

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

The post What is Global Threat Intelligence? – SOC/DIFR Team Guide appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

Go to Source
Author: Balaji