Cyber Threat Intelligence Platform That is Open-Source

Hey Bay Area friends! Are you in the cybersecurity or healthcare field and need a better way to manage, analyze, and counter cyber threats? We recently started working with OpenCTI and ANY.RUN and we’re thrilled with the results.

For those of you unfamiliar with OpenCTI, it’s basically your hub for threat data collection. It gathers juicy information from numerous sources, storing it for you to observe and understand -file hashes, IP addresses, and more. And then we have ANY.RUN. A virtual sandbox for malware analysis that you can access from anywhere. It takes care of suspicious file investigations for security teams, leveraging YARA and Suricata rules to detect potential threats in under 40 Seconds. Not too shabby, right?

The interface of OpenCTI is a powerful way for teams to dig into analyzing sophisticated threats rather than sticking to automated malware techniques. It’s a cloud-based system, which makes setup and upkeep lighter work for security teams.

The incredible part of our integration with ANY.RUN is that it provides two significant functions. First, it automatically imports data into OpenCTI daily, keeping the system regularly updated. Second, it allows the data to be enriched from the sandbox environment where malware is executed and examined. This gives us valuable information like malware labels, malicious scores, and even tactics, techniques, and procedures used by the malware.

By combining and analyzing data from various sources, our teams can provide quicker and more comprehensive threat analyses. With this system, our robust community of 400,000 independent cybersecurity pros can interact in real time, learn from each other, set up virtual experiments in Linux & Windows, and do it all safely.

But let’s get into the nitty-gritty: how does ANY.RUN work? It’s pretty ingenious, really. An OpenCTI observation, through the integration with ANY.RUN, can become a fully detailed indicator. This involves submitting the observation into ANY.RUN’s virtual box and analyzing its behavior.

During this analysis, indicators of compromise from network traffic, memory dumps, and other activities are extracted and fed back into OpenCTI, enriching it with valuable threat data. But it gets better. This now fully loaded indicator can be forwarded to the security system, which raises an alarm, and we get moving on an investigation.

ANY.RUN is special because it allows you to interact with your virtual machine from your browser. This feature helps stop advanced malware and zero-day vulnerabilities that can sometimes slip through the cracks of signature-based protection. It’s a great cost-effective solution, too, since it doesn’t require additional setup or support work.

And lastly, ANY.RUN is a super easy platform to learn, even for newbies to the cybersecurity world. If you’re a cybersecurity enthusiast like us who wants to investigate malware, we highly recommend checking out ANY.RUN. Trust us – it’s a game-changer!

by Morgan Phisher | HEAL Security