DoD Cyber Security blogs anyrun

How to Quicken Your SOC Investigations: From Alert to Action

A Security Operations Center ( SOC ) professional’s role requires a quick and effective process of alerts. Their ability to do so can be significantly improved by technology-based threat intelligence platforms. Find out what these platforms are and how they can empower analysts.

The Problem: Overload Alerts

SIEMs and EDRs consistently issue security alerts to the modern SOC. It takes both time and resources to sort through these alerts. Before identifying conclusive evidence for a potential threat, it frequently requires digging through numerous sources to determine whether it poses a real risk. The frustration of wasting time looking for artifacts that ultimately turn out to be false positives further complicates this process.

A significant portion of these events are still uninvestigated as a result. Finding the necessary data quickly and accurately about various indicators is a critical issue, as this demonstrates. A solution is provided by threat data platforms. With these tools, you can quickly discover any suspicious URL, IP, or other indicator and look up its possible risk. Threat Intelligence Lookup from ANY is one of these platforms. RUN.

The Rescue of Threat Intelligence Platforms

Specialized SOC investigations make use of their database of threat data, which has been gathered from various sources, to build their own databases. Take ANY as an example. Threat Intelligence ( TI Lookup ) is a tool for RUN. IOCs are collected from millions of interactive analysis sessions ( tasks ) that were conducted using this platform. Sandbox RUN.

In addition to the threat data, the platform provides command line data, registry and network activity logs, and other system data created during sandbox analysis sessions. Users can then use these fields to find pertinent information.

Benefits of Threat Intelligence Platforms

Greater Awareness of Threats

Such platforms provide a single point of access to IOC searches across a range of data points rather than relying on disparate data sources. This enables a more thorough threat identification and investigation by including URLs, file hashes, IP addresses, logged events, command lines, and registries.

Faster Alert Investigations

Time is of the essence when there is a security incident. TI platforms enable faster collection of relevant threat intelligence data, revealing more about the nature, affected systems, and compromise scope of the attack. This can significantly expedite and enhance response times.

Proactive ThreatHunting

Teams are able to use threat intelligence tools to look for known IOCs linked to particular malware families. This proactive approach can aid in identifying undiscovered threats before they become serious problems.

They can give you access to information that might help you discover potential vulnerabilities in known threats. This data can inform risk assessments and give organizations a clearer picture of security priorities based on the most pressing risks.

Analysis and Making of Decisions Regarding the Threat

Teams can better analyze threats and make informed decisions about containment, remediation, and upcoming preventative measures when they have more in-depth knowledge of malware behavior. The overall security posture and team competence are strengthened by this ongoing learning cycle.

Examples of queries for a threat intelligence platform

Using individual indicators to search

Threat Intelligence

Imagine that you have a suspicion that a compromised network’s system is executing malicious code. You identify a particular IP address as the potential source and decide to look into it further. Enter the IP address into a threat intelligence platform’s search bar. The platform continuously flags the address as malicious and links it to Remcos malware, providing details on domains, ports, and even files linked to thisIP.

Additionally, it lists Tactics, Techniques, & Procedures ( TTPs ) used by malware in these analysis sessions as well as a link to the IP address where this IP address was used.

Threat Intelligence

Simply clicking on each session will allow you to study each session in depth. You will be taken to the session’s page in ANY by the system. Run the sandbox, where you can find out all the processes, connections, and registry activity as well as collect malware’s configuration and IOCs, or download a detailed threat report.

Wildcard-based, flexible search

Wildcards and combined queries are another useful feature of threat intelligence platforms like TI Lookup.

Threat Intelligence

For instance, the command line “binPath=*start = auto” uses the asterisk wildcard, which is followed by any characters ending in” start = auto” followed by “binPath =”.

The platform returns the same fragment from the first hundred sessions. This particular command line artifact is characteristic of the Tofsee malware, according to a closer examination of the search results.

Combined Search Requests

To find all instances in which these criteria appear together, the threat intelligence platform can also use this strategy.

Threat Intelligence

For instance, you can create a command line query that searches for all tasks ( sessions ) that are classified as “file” and run on a 64-bit operating system running Windows 7 with the string “schtasks” in the command line.

The platform then shows a list of IPs tagged with” RisePro,” highlighting the malicious code, and identifies a number of sessions that meet the criteria.

Try looking up threat intelligence.

Threat intelligence scouting by ANY. RUN enables precise threat investigation. analyze network activity, files, processes, and more. With more than 30 fields, including IPs, domains, logged events, and MITRE techniques, refine your search. For a holistic understanding, combine parameters. To expand your audience, use wildcard queries.

Request a trial of the platform and receive 50 freebie requests.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter ï‚™ and LinkedIn to read more exclusive content we post.
Skip to content