In this blog, we will be looking at a few popular use cases of Anomali Match™, one of the core components of the Anomali Threat Platform. Anomali Match is a powerful tool that addresses an industry-wide dilemma on how to leverage threat intelligence effectively. A key issue with most tools is that they do not understand TTPs, campaigns, threat bulletins, and other components of the threat model, and thus cannot provide context around indicator of compromise (IOC) matches. Anomali Match solves this major problem by identifying relationships across the entire threat model around IOC sightings within your environment.
Anomali Match can provide strategic value on intelligence via threat model relationships. This moves the needle away from commonly seen “atomic indicator” type of IOC data, and starts giving you incredible information from which to base your investigations and incident response activities.
Within the threat model, you will, among other things, be able to see context such as related threat bulletins, incidents, actor profiles, campaigns, TTPs, and vulnerabilities.
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a living, growing knowledge base of adversary tactics and techniques based on real-world observations. Anomali has integrated this framework into Anomali Match, allowing matching across strategic intelligence such as threat bulletins, actor profiles, TTPs, and campaigns that reach across the ATT&CK framework. As an example, this capability can allow indicators to be associated with threat actors to understand their TTPs.
The ATT&CK matrix is visually integrated into Anomali Match, highlighting TTPs that are being leveraged in a sighting, and immediately provides additional context around the observable in question.
Anomali Match introduces the ability to calculate an overall risk score for assets within your environment. By allowing the ingestion of reports from vulnerability assessment (VA) tools such as Qualys, having the ability to assign different criticalities to each asset or asset class, and factoring in intelligence matches, Anomali Match becomes a central decision point for understanding effort prioritization.
Each score is computed using an aggregate of VA information, asset criticality, and intelligence sighting, providing the operator with a concise view of impacted hosts.
A common approach to leveraging threat intelligence inside organizations is to ingest it into the SIEM for correlating matches. While this can be acceptable in a few scenarios, it does have certain limitations:
Anomali Match is a purpose-built tool that solves these common issues. By backfilling data from the SIEM and only keeping metadata that can be matched with threat intelligence, this means that:
According to a recent Ponemon study, the average time-to-detection for data breaches sits at 191 days. Therefore, it is critical for organizations to not only be able to detect threats, but also have the ability to evaluate historical exposure when threats are discovered.
Anomali Match allows for automated retrospective lookups on new intelligence matches in your environment at speeds and scales other tools can’t come close to.
Organizations typically employ a variety of different tools in their security stack. For example, an organization could be using EDR, IDS, SIEM, and firewall technologies. Each of these tools can generate a considerable amount of log data.
Anomali Match has the ability to ingest data from various tools like the ones previously mentioned, as well as other common sources such as TAP, SPAN, syslog, and BEATS. This capability allows Anomali Match to report sightings across the multiple tools usually present in a modern security stack.
Julio is a Sales Engineer at Anomali with over 20 years of information technology experience. He is responsible for helping Anomali customers understand, evaluate, and implement the Anomali Threat Platform. Prior to joining Anomali, he worked at WatchGuard focusing on perimeter and endpoint security.