How TI Lookup Helps SecurityAnalysts Collect Cyber ThreatIntelligence

Cyber threat intelligence is crucial for security researchers, as it enables them to create proactive defenses. Although numerous sources of threat intelligence exist, few provide the convenience and extensive data on current malware and phishing threats as TI Lookup from ANY.RUN. Here’s what you need to know about this service and how it supports professionals in their security efforts.

What is TI Lookup

TI Lookup is a tool for exploring, collecting, and analyzing threat data. At its core is a continuously updated threat database that relies on the millions of public malware and phishing samples analyzed in ANY.RUN’s Interactive Sandbox.

TI Lookup provides users with the ability to search its extensive database using over 40 parameters related to indicators of compromise (IOCs), indicators of behavior (IOBs), and indicators of attack (IOAs). This comprehensive search functionality enables users to use the smallest pieces of data discovered during their incident research or threat hunting and pin it to a particular malware or phishing campaign.

How it works

After submitting their search query, users receive results in the form of contextual data that matches their request.

For example, a user might search for specific IOCs such as malicious IP addresses, domain names, or file hashes. The results will include all the data related to these indicators, including samples of malware, other IPs, domains, and URLs associated with these samples, as well as suspicious and malicious system and network events observed during the execution of these samples inside the ANY.RUN sandbox.

In addition to IOCs, TI Lookup can search for specific events like mutexes, which are unique identifiers used by malware to coordinate activities. The service also supports searches using YARA rules, which are powerful tools for identifying and classifying malware based on specific patterns. This capability is extremely helpful for security professionals who need to quickly identify and respond to emerging threats.

Example: How to Identify a Cyber Threat by an IP Address

Consider a situation when you get an alert about a connection to a suspicious IP address (e.g., 162[.]254[.]34[.]31) from your network.

With TI Lookup, you can verify this IP in seconds and identify the actual threat related to it. 

In the image below, you can see how submitting the IP in a query to TI Lookup provides us with a conclusive verdict that it belongs to the infrastructure of the AgentTesla malware. 

The service marks the queried IP address as malicious and offers extra context

From there, you can collect all the important intelligence on the threat at hand, including samples similar to the one used to infect the computer in your network.

provides a list of sandbox sessions where the IP address was detected

TI Lookup also provides actual sandbox sessions that you can freely explore to see how the threat behaves in real time.

Conclusion

TI Lookup from ANY.RUN is a powerful tool that greatly helps security professionals in their threat investigations, as it provides them with:

  • Easy and flexible search with over 40 search parameters, including IPs, hashes, registry keys, and processes
  • Real-time updates on new results related to your queries
  • Ability to combine indicators and events that are not directly related in one query to pinpoint specific threats
  • Access to data that is difficult or impossible to find in other sources
  • Examples and context from other investigations to aid decision-making

Get a 14-day free trial of TI Lookup to see how it can benefit your security team.

Leave a Reply

Your email address will not be published. Required fields are marked *