Suggestions

Unlock OpenCTI and ANYRUN for cutting-edge malware analysis solutions

March 14, 2024
by
1 min read




OpenCTI With ANY.RUN: OSINT Platform to SOC & MDR Teams for Malware Analysis

TLDR:

  • OpenCTI integrates with ANY.RUN to streamline threat analysis and enrich observations with data directly from ANY.RUN.
  • The integration offers automatic data import and interactive analysis and enrichment functionalities.

OpenCTI is a central hub that collects threat data from various sources, like ANY.RUN, through connectors and stores this data as “observations.” ANY.RUN is a cloud-based malware analysis sandbox that assists security teams in investigating suspicious files and offers real-time interaction with the virtual environment.

Article:

OpenCTI integrates with ANY.RUN to enhance threat analysis for SOC (Security Operations Center) teams and MDR (Managed Detection and Response) teams. This integration allows for automatic data import from ANY.RUN’s Threat Intelligence Feeds connector into OpenCTI daily. The sandbox connector from ANY.RUN enriches observations with data from malware execution in a sandbox environment, providing insights like malware labels, malicious scores, and indicators of tactics, techniques, and procedures (TTPs) used by the malware.

The integration offers a centralized platform for faster and more comprehensive threat analysis by combining and analyzing data from various sources. Analysts can interact with malware analysis reports, gain real-time detection, and use the interactive malware analysis feature of ANY.RUN. The platform is user-friendly and allows even new security team members to learn malware analysis quickly.

The ANY.RUN enrichment connector in OpenCTI turns observations into indicators by submitting them to ANY.RUN for analysis. This process extracts Indicators of Compromise (IOCs) from network traffic, memory dumps, and observed activity, enriching the data within OpenCTI. Observations enhanced with additional details from ANY.RUN can be sent to SIEM (Security Information and Event Management) or SOAR (Security Orchestration, Automation, and Response) systems to trigger incident response procedures.

ANY.RUN is a cloud-based malware lab that offers real-time detection, interactive malware analysis, and value for money. Professionals can access the platform daily to investigate events and speed up threat research on cloud VMs. The platform’s ease of use and cost-effective nature make it ideal for businesses looking to enhance their security operations with advanced threat analysis capabilities.


Post Views: 1,992

Adrian Johnson

Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and