Answer the question, “Have we been impacted?”
When a new threat is discovered in the wild, security teams and executives need to know as soon as possible if the attackers have already penetrated their network.
When Lens does a scan, it automatically checks Anomali Match to determine if any of the discovered threat intelligence has been seen on your network.
- See the number of matches found in your environment for any scanned threat indicator or TTP
- Understand the threat type and severity at a glance
- Open Match at the click of a button for further investigation pivoting, and research
Operationalize the MITRE ATT&CK framework
While a critical ‘best practice’, threat analysis using the MITRE ATT&CK framework can be an extremely manual and time-intensive process.
Lens operationalizes the MITRE ATT&CK framework for you, automatically identifying the MITRE ATT&CK techniques found in scanned pages and importing the data into your Anomali ThreatStream instance at the click of a button.
- Automatically identify techniques in web pages, blogs, and reports or quickly import unstructured lists
- Automatically associate scanned techniques with MITRE ATT&CK IDs
- Import MITRE ATT&CK TTPs into a ThreatStream investigation with the click of a button
- Pivot, investigate, and visualize the imported threat intelligence in MITRE ATT&CK heatmaps in ThreatStream
Routinely Build Protection from Unstructured Sources
A regular research routine of pulling new threat information from reports, lists, and web pages can be fruitful, but extremely time-consuming.
Use Lens in your weekly routine to identify and ingest email addresses, URLs, and hashes from lists provided by a specific source and also from specific web pages. Lens customers report that in the past it took on average 2.5 FTE to perform this work – with Lens it now takes just half the time of a single analyst, freeing resources to focus elsewhere. Typical steps include:
- The analyst logs into the source portal and looks at a posted list of known phishing email addresses, malicious URLs, hashes, etc.
- The analyst scans those lists with Lens and automatically imports them via investigations into ThreatStream.
- The items are tagged and then your SOAR validates automatically if the items match anything in your SIEM, and then creates tickets for the Incident Response team to investigate as necessary.
Create a Threat Bulletin for Threat Management & Executive Briefings
Researching a new threat and developing a threat bulletin and executive reports is a common requirement that is too manual and time-consuming.
Based on news reports or other sources of information about a threat or incident, users research the web, go to relevant pages, use Lens to scan and understand what you are seeing out there, and start building protection around it. You can then leverage Anomali’s Finished Intelligence to build a Threat Bulletin for the management of the threat, then take a subset of the information to build a PPT presentation for executives.
Go with Anomali and improve your security posture
Organizations rely on Anomali to harness the power of threat intelligence to make effective cybersecurity decisions that reduce risk and strengthen defenses.