Categories: THREATSWhat is

What is Global Threat Intelligence? – SOC/DFIR Team Guide

Global threat intelligence (GTI) is crucial for cybersecurity as it offers real-time data on emerging and persistent cyber threats worldwide.

Threats can originate anywhere, so understanding regional variations is essential. 

For example, North Korean actors target government infrastructure, while Eastern Europe is a hub for Ransomware-as-a-Service (RaaS) like LockBit.

Organizations must leverage GTI from various sources beyond their local region to comprehensively view the global threat landscape.

ANY.RUN’s global map of sample submissions

A threat intelligence source should pull data from international organizations worldwide to comprehensively understand global cyber threats.

In contrast, monitoring allows them to track threats, malware campaigns, and other malicious activity that can impact organizations anywhere.  

Ultimately, a source is needed that provides Indicators of Compromise (IOCs) and event details that can identify a compromised system.

The IOCs could be IP addresses, domain names, file fingerprints, network traffic patterns, or even specific commands used by malware. 

According to ANY.RUN global threat intelligence considered the report; the following sources should be included.

Comprehensive data sources Global threat intelligence relies on collecting data from sources around the world, and the more international organizations from different countries and regions contribute to the data source the more holistic picture it will be able to provide.
Global monitoring It involves monitoring cyber threats, malware campaigns, and other malicious activities that transcend geographical boundaries and have the potential to impact organizations worldwide.
Global IOCs and event fields The data source should provide access to artifacts or patterns that indicate a system has been compromised or is under attack, like IP addresses, domain names, file hashes, patterns of network traffic, or CMD to PowerShell commands associated with known malware.

Global Threat Intelligence in ANY.RUN

ANY.RUN offers a cloud-based malware sandbox for security teams to analyze suspicious files, detect malware within 40 seconds, and identify malware families using built-in rules. 

Unlike automated sandboxes, it allows interactive analysis in a virtual machine to uncover zero-day exploits.

As a cloud solution, it reduces setup and maintenance costs, and its user-friendly interface simplifies onboarding for security analysts.

ANY.RUN offers threat intelligence solutions that cover technical, tactical, and operational aspects on a global scale. 

Their data source is comprehensive, providing insights into indicators of compromise, attacker techniques, and the types of malware being used globally. This allows for the analysis of potential threats, understanding of how attacks might unfold, and identification of specific malicious elements to monitor. 

ANY.RUN’s online sandbox interface

The interactive sandbox environment allows malware researchers to analyze suspicious files in a cloud-based virtual machine quickly.

The sandbox captures detailed data about the file’s behavior, including file and registry changes, loaded modules, network connections, and more. 

The data is stored along with Indicators of Compromise (IOCs) extracted from the analysis, and users can utilize the data in two ways: subscribing to threat intelligence feeds delivers fresh IOCs in a standardized format.

At the same time, the lookup portal allows searching for specific indicators and linking them to potential malware families based on historical analysis data. 

The rich collection of IOCs and related events provides valuable context for security professionals investigating potential threats. 

Example of Global Threat Intelligence in ANY.RUN

ANY.RUN extracts C2 server locations from analyzed malware and displays them on a global map within their Threat Intelligence Lookup portal. 

Filter C2 locations by country or by threat name

The map allows users to filter threats by location or family to identify communication patterns and techniques (MITRE ATT&CK) used by different malware families worldwide. 

Hover over any location to bring up a list of IPs

Users can access granular details like IP addresses associated with those threats by hovering over specific locations. 

The information empowers users to configure security measures (WAFs) to block malicious traffic and enrich incident reports with threat identifiers for improved analysis.  

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and their…

22 mins ago

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS environments…

13 hours ago

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling them…

17 hours ago

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases from…

17 hours ago

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting abuse…

18 hours ago

Metasploit Framework Released with New Features

The Metasploit Framework, a widely used open-source penetration testing tool maintained by Rapid7, has introduced…

20 hours ago