Now you can expand your SIEM and other security systems by integrating IOCs directly from ANY.RUN sandbox’s public tasks. At the moment, our Threat Intelligence Feed delivers:
- Malicious IPs
- Malicious URLs
- Malicious domains
We also offer contextual metadata for IoCs to speed up your incident investigations—more on this later in the article.
Why we created ANY.RUN Threat Intelligence Feed
ANY.RUN sandbox already serves hundreds of thousands of users — from individual malware researchers to some of the world’s largest SOC, DFIR, and malware analysis teams in the world. These users utilize our cloud sandbox to analyze malware behavior and investigate incidents.
When our users create public tasks, they generate a wealth of valuable IOCs — in fact, in Q3 2023 our community collected 48,932,710 unique IOCs.
Until now, this data was underutilized for improving security. We aim to change that. In truth, we have big plans for the future, but today we’re taking our first step to letting you do more with this data. And it starts with feeds.
What is a threat intelligence feed?
A threat intelligence feed provides a near real-time stream of threat data from external sources. Organizations leverage these feeds to keep security defenses like SIEMs up-to-date against new attacks.
Fresh data is pulled from tasks processed in the ANY.RUN sandbox
ANY.RUN has a community of over 300,000 members who process more than 14,000 public tasks every day. These tasks come from users around the world, tackling a wide variety of threats, both new and known, for work or as a hobby. The data is stored in public submissions, and we extract the latest IOCs directly from this extensive database, which is updated with information about new threats hourly.
UPD: ANY.RUN now also offers Threat Intelligence Lookup, a centralized searchable repository of threat data derived from ANY.RUN’s database of malware analysis sessions. The platform enables examination of persistent and emerging threats through analysis of various data points, including IOCs, processes, modules, files, network activity, and registry interactions.
This speed of accessing new IOCs is what makes ANY.RUN’s Threat Intelligence Feed a valuable resource for expanding your existing threat coverage and improving detection rate.
- A rich, reliable data source. IOCs are extracted from network traffic and malware configurations found in memory dumps. We use whitelists and proprietary algorithms to clean the data and filter out false positives.
- As close to real-time as you can get. Fresh IOCs are pulled from the sandbox every two hours, which is the maximum wait time until your SIEM receives new data.
In practice, this means your SIEM tools could be updated with IOCs from an attack that occurred just an hour or two ago.
Access linked, contextual data from recent threats and incidents
We also offer contextual metadata for IoCs to accelerate incident analysis after an alarm has been triggered in your SIEM system. Included are:
- Related file hashes: you can quickly search across your systems to find any instances of files with these hashes. If found, you can quarantine them for further investigation, stopping the threat in its tracks.
- First and last detection times: this information helps you understand how long the IoC has been active. You can use this to scope the incident’s impact and decide how urgently you need to respond.
- Accessed network ports: knowing which ports were targeted gives you the option to temporarily shut them down or monitor them closely for additional suspicious activity, thereby reducing the threat surface.
- Malware classification tags: these tags can tell you if the IoC is associated with ransomware, a trojan, or some other type of malware. Knowing this helps you anticipate the malware’s behavior and strategize your response accordingly.
Additionally, users can get analysis reports of samples linked to the IOCs from Threat Intelligence Feeds, sourced from ANY.RUN’s public submissions database.
When an IOC match is detected, clients can find links to the reports in the “source_ref” field. This feature enhances threat investigation and response by providing contextual IOC understanding for efficient analysis.
Example:
"extensions":{"author":"ANY.RUN","source_ref":["https://app.any.run/tasks/70a90108-3593-47fa-ac10-c3598421f653", "https://app.any.run/tasks/473dd5f4-a977-453f-b354-7d8b1e17aa79", "https://app.any.run/tasks/4e8d82ad-2d63-4b50-abe7-d51139f63c6f"]}
Customize the data you receive and choose its format
Depending on your application, you can download URLs, IPs, and domains separately, or download everything together.
You can receive data in the STIX format — a standardized language for conveying information about threat intelligence which is used in a vast majority of modern SIEM systems.
How to start using ANY.RUN’s Threat Intelligence Feed and what’s next?
If you’re interested in ANY.RUN’s Threat Intelligence Feed, contact our sales team to discuss pricing and get answers to any questions you may have about the product.
We have big plans for this product and will continue to enhance its features. One of our next steps is to add hashes to the available indicators. But that’s just the start — we have more things in the pipeline to help you leverage ANY.RUN’s continuously updated threat data for better security awareness and detection.
1 comments
Thank you for the information!