How to accelerate your SOC investigations

SOC Investigations

Processing alerts quickly and efficiently is the cornerstone of the role of a Security Operations Center (SOC) professional. Threat Intelligence platforms can significantly increase their ability to do this. Let’s take a look at what these platforms are and how they can empower analysts.

The challenge: warning overload

The modern SOC faces a relentless barrage of security alerts generated by SIEMs and EDRs. Searching through these alerts is both time-consuming and labor-intensive. Analyzing a potential threat often requires searching multiple sources before finding conclusive evidence to verify whether it poses a real risk. This process is further hampered by the frustration of spending valuable time examining artifacts that ultimately turn out to be false positives.

As a result, a significant portion of these events remain uninvestigated. This highlights a crucial challenge: finding the necessary information regarding different indicators quickly and accurately. Threat data platforms offer a solution. These platforms allow you to look up any suspicious URL, IP or other indicator and immediately understand its potential risk. One such platform is Threat Intelligence Lookup from ANY.RUN.

Threat intelligence platforms come to the rescue

Specialized platforms for SOC investigations leverage their databases of threat data collected from various sources. Take ANY.RUN’s Threat Intelligence Lookup (TI Lookup), for example. This platform collects Indicators of Compromise (IOCs) from millions of interactive analysis sessions (tasks) running within the ANY.RUN sandbox.

The platform provides an additional dimension of threat data: process logs, registry and network activity, command line contents, and other system information generated during sandbox analysis sessions. Users can then search these fields for relevant details.

Benefits of Threat Intelligence Platforms

Better insight into threats

Rather than relying on distributed data sources, such platforms provide a single entry point for searching for IOCs across data points. This includes URLs, file hashes, IP addresses, logged events, command lines, and registries, allowing for more comprehensive threat identification and investigation.

Faster alert investigations

When a security incident occurs, time is of the essence. TI platforms help quickly collect relevant threat intelligence, providing a better understanding of the nature of the attack, the systems affected and the scope of the threat. This can significantly speed up and improve response efforts.

Proactive threat hunting

Threat Intelligence platforms enable teams to actively search for known IOCs associated with specific malware families. This proactive approach can help uncover hidden threats before they escalate into major incidents.

They can provide access to data that can reveal potential vulnerabilities associated with known threats. This information can contribute to risk assessments and help organizations prioritize security efforts based on the most pressing threats.

Threat analysis and decision making

Armed with detailed insights into malware behavior, teams can more accurately analyze threats and make informed decisions about containment, remediation, and future preventative measures. This continuous learning cycle strengthens the overall security position and team competence.

Examples of queries on the Threat Intelligence platform

Search with individual indicators

Threat intelligence

Imagine you suspect that a compromised system within your network is downloading malicious files. You pinpoint a specific IP address as the potential source and decide to investigate further. Enter the IP address into the search bar of a threat intelligence platform. The platform immediately marks the address as malicious and linked to the Remcos malware, and provides information about domains, ports and even files associated with this IP address.

It also provides access to analysis sessions involving this IP address and provides an overview of the tactics, techniques, and procedures (TTPs) used by malware during these sessions.

Threat intelligence

You can study each session in detail by simply clicking on it. The system will take you to the session page in the ANY.RUN sandbox, where you can explore all processes, connections and registry activities, as well as collect the malware’s configuration and IOCs or download a comprehensive threat report.

Another useful feature of threat intelligence platforms like TI Lookup is the ability to submit wildcard and combined searches.

Threat intelligence

For example, the search “binPath=*start= auto” uses the asterisk wildcard and searches for any command line containing “binPath=” followed by characters ending in “start= auto”.

The platform returns a hundred sessions in which the same fragment appeared. Closer examination of the search results reveals that this particular command line artifact is characteristic of the Tofsee malware.

Combined searches

Another option for conducting an investigation is to pool all available indicators and submit them to the threat intelligence platform to identify all cases where these criteria appear together.

Threat intelligence

For example, you can build a query that looks for all tasks (sessions) that are categorized as “file”, running on Windows 7, with a 64-bit operating system, connecting to port 50500, and containing the string “schtasks” in the command line.

The platform then identifies numerous sessions that meet the specified criteria and additionally provides a list of IP addresses tagged with “RisePro”, highlighting the malware responsible.

Try Looking up Threat Intelligence

Threat Intelligence Lookup from ANY.RUN allows you to accurately investigate threats. Analyze processes, files, network activity and more. Refine your search with over 30 fields including IPs, domains, logged events and MITER techniques. Combine parameters for holistic understanding. Use wildcards to increase your reach.

Request a trial period to receive 50 free requests to explore the platform.

#accelerate #SOC #investigations

Notify of
Inline Feedbacks
View all comments
Previous Post
RAT Trojan

Open-source Xeno RAT trojan proves to be a powerful threat on GitHub

Next Post
Hugging Face Vulnerability

New hug face vulnerability exposes AI models to supply chain attacks

Related Posts