5 Techniques for Collecting Cyber Threat Intelligence - The Hacker News

5 Techniques for Collecting Cyber Threat Intelligence The Hacker NewsOct 16, 2024Threat Intelligence / Malware Analysis To defend your organization against cyber threats, you need a clear picture of the current threat landscape. This means constantly expanding your knowledge about new and ongoing threats. There are many techniques analysts can use to collect crucial cyber threat intelligence. Let’s consider five that can greatly improve your threat investigations. Pivoting on С2 IP addresses to pinpoint malware IP addresses used by malware to communicate with its command and control (C2) servers are valuable indicators. They can help not only update your defenses, but also identify related infrastructure and tools belonging to threat actors.  This is done using the pivoting method, which lets analysts find additional context on the threat at hand with an existing indicator. To perform pivoting, analysts use various sources, including threat intelligence databases that store large volumes of fresh threat data and offer search capabilities. One useful tool is Threat Intelligence Lookup from ANY.RUN. This service allows you to search its database using over 40 different query parameters, such as: Network indicators (IP addresses, domain names) Registry and file system paths Specific threat names, file names, and hashes ANY.RUN provides data associated with the indicators or artifacts in your query, along with sandbox sessions where the data was found. This helps analysts pin down a certain indicator or their combination to a specific attack, discover its context, and collect essential threat intelligence. To demonstrate how it works, let’s use the following IP address as part of our query: 162[.]254[.]34[.]31. In your case, the initial indicator may come from an alert generated by an SIEM system, a threat intelligence feed, or research. The overview tab shows the key results of our search Submitting the IP address to TI Lookup instantly allows us to see that his IP has been linked to malicious activity. It also lets us know that the specific threat used with this IP is AgentTesla.  The service displays domains related to the indicator, as well as ports used by malware when connecting to this address.  Suricata IDS rule linked to the queried IP indicates data exfiltration via SMTP Other information available to us includes files, synchronization objects (mutexes), ASN, and triggered Suricata rules that were discovered in sandbox sessions involving the IP address in question. Sandbox session listed as one of the results in TI Lookup We can also navigate to one of the sandbox sessions where the IP was spotted to see the entire attack and collect even more relevant information, as well as rerun the analysis of the sample to study it in real-time. Test TI Lookup to see how it can improve your threat investigations. Request a 14-day free trial. Using URLs to expose threat actors’ infrastructure  Examining the domains and subdomains can provide valuable information on URLs used for hosting malware. Another common use case is identifying websites used in phishing attacks. Phishing websites often mimic legitimate sites to trick users into entering sensitive information. By analyzing these domains, analysts can uncover patterns and discover broader infrastructure employed by attackers. URLs matching our search query for Lumma’s payload hosting infrastructure For instance, the Lumma malware is known to use URLs that end in “.shop” to store malicious payloads. By submitting this indicator to TI Lookup along with the threat’s name we can zoom in on the latest domains and URLs used in the malware’s attacks. Identifying threats by specific MITRE TTPs The MITRE ATT&CK framework is a comprehensive knowledge base of adversary tactics, techniques, and procedures (TTPs). Using specific TTPs as part of your investigations can help you identify emerging threats. Proactively building your knowledge about current threats contributes to your preparedness against potential attacks in the future. Most popular TTPs over the part 60 days displayed by ANY.RUN’s Threat Intelligence Portal ANY.RUN provides a live ranking of the most popular TTPs detected across thousands of malware and phishing samples analyzed in the ANY.RUN sandbox. Sandbox sessions matching a query featuring a MITRE TTP along with a detection rule We can pick any of the TTPs and submit it for search in TI Lookup to find sandbox sessions where their instances were found. As shown above, combining T1552.001 (Credentials in Files) with the rule “Steals credentials from Web Browsers” allows us to identify analyses of threats engaging in these activities. Collecting samples with YARA rules YARA is a tool used to create descriptions of malware families based on textual or binary patterns. A YARA rule might look for specific strings or byte sequences that are characteristic of a particular malware family. This technique is highly effective for automating the detection of known malware and for quickly identifying new variants that share similar characteristics.  Services like TI Lookup provide built-in YARA Search that lets you upload, edit, store, and use your custom rules to find relevant samples.  Search using a XenoRAT YARA rule revealed over 170 matching files We can use a YARA rule for XenoRAT, a popular malware family used for remote control and data theft, to discover the latest samples of this threat. Apart from files that match the contents of the rule, the service also provides sandbox sessions to explore these files in a wider context. Discovering malware with command line artifacts and process names Identifying malware through command line artifacts and process names is an effective but uncommon technique, as most sources of threat intelligence do not provide such capabilities.  ANY.RUN's threat intelligence database stands out by sourcing data from live sandbox sessions, offering access to real command line data, processes, registry modifications, and other components and events recorded during the execution of malware in the sandbox. TI Lookup results for the command line and process search related to Strela stealer As an example, we can use a command line string utilized by Strela stealer together with the net.exe process to access a folder on its remote server named “davwwwroot”. TI Lookup provides numerous samples, files, and events found in sandbox sessions that match our query. We can use the information to extract more insights into the threat we’re facing. Integrate Threat Intelligence Lookup from ANY.RUN To speed up and improve the quality of your threat research efforts, you can use TI Lookup.  Try TI Lookup and see how it can contribute to your threat investigations with a 14-day trial → ANY.RUN's threat intelligence is sourced from samples uploaded to the sandbox for analysis by over 500,000 researchers across the world. You can search this massive database using more than 40 search parameters. To learn more on how to improve your threat investigations with TI Lookup, tune in to ANY.RUN’s live webinar on October 23, 02:00 PM GMT (UTC +0). Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Cyber Defense, cybersecurity, Incident response, malware analysis, MITRE ATT&CK, Phishing Detection, Sandbox Analysis, Threat Intelligence ⚡ Top Stories This Week We Scanned 1 Million Exposed AI Services. Here's How Bad the Security Actually Is Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE and More Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE 2026: The Year of AI-Assisted Attacks ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New Stories PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage 30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign Day Zero Readiness: The Operational Gaps That Break Incident Response The Hacker News Launches 'Cybersecurity Stars Awards 2026' — Submissions Now Open Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution Progress Patches Critical MOVEit Automation Bug Enabling Authentication Bypass New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions Trellix Confirms Source Code Breach With Unauthorized Repository Access ⭐ Featured Resources [Demo] Stop Email Attacks and Protect Cloud Workspace Data Faster [Webinar] Learn How Autonomous Validation Keeps Pace With AI Attacks [Demo] Discover How to Control Autonomous Identity Risks Effectively [Guide] Get Practical AI SOC Insights to Improve Threat Detection