Retrospective search – “Have we been impacted?”
When a new threat is discovered in the wild, searching back through historic logs to find out if you were compromised can be a long and expensive process.
Match tells you in seconds if a threat indicator was present in your historic event data months or years in the past.
- Search historical event logs going back five years or more
- Search for threat indicators, TTPs, actors, vulnerabilities, or threat bulletins
- Return all threat matches in seconds
- Deliver these matches to your SIEM, ticketing, or SOAR system
Hunt for threats by actor, threat bulletin, or vulnerability
Sophisticated attackers have learned how to dynamically change IOCs to avoid detection, but changing their tactics, techniques, and procedures (TTPs) is hard.
Match enables your security teams to identify threats in your environment based on TTPs, actors, campaigns, threat bulletins, and vulnerabilities. Once a threat actor is identified in your network, you can analyze the TTPs using the MITRE ATT&CK framework and heatmaps.
- Search for intrusions in your environment by threat actor, TTPs, threat bulletins, campaign, or vulnerability
- Analyze the tactics, techniques, and procedures (TTPs) for a selected actor in the MITRE ATT&CK framework heatmap
- View matched event details, including dwell time, severity, and event source/destination
Prioritized response based on asset value, vulnerability, and threat severity
Once you’ve identified malicious behavior in your network, it can be a challenge to decide which threats are the most important to deal with first.
Anomali Match integrates asset and vulnerability scan data into your threat detection results, allowing your analysts to prioritize remediation based on risk.
- Identify the top assets that show malicious activity at a glance
- Prioritize response based on risk score and asset criticality
- Track malicious activity back to the original point of intrusion and review a timeline of compromise
Identify bots in your network connecting to C&C servers
Many bot networks disguise communications to their “command and control” (C&C) servers using Domain Generation Algorithms (DGA) to bypass IP address blocklists.
Match uses an advanced machine learning model to predict malicious domains and identifies them in your event logs.
- Identify events in which DGA domains have been found
- Identify which malware family likely generated the DGA domains
- Identify which assets are communicating using the DGA domain
Find “Patient Zero”
After a malware infection occurs, many organizations begin a game of ‘whack-a-mole’ – they know they have an infection, they take steps to remove it, but it keeps popping up again.
Match automates the process of finding Patient Zero, allowing you to identify how the infection began, who is most at risk, and how long the infection has been active.
- Track malicious activity back to the original point of intrusion
- View the event timeline for an indicator
- Determine the scope of the attack across all of your hosts and endpoints
- Deliver these matches to your SIEM, ticketing, or SOAR system for remediation
Hypothesis-based threat hunting
Threat hunters need to find adversaries who are already in the system, but they often lack the search tools and access they need to identify malicious activity.
Match empowers threat hunters to pivot from an initial threat indicator to explore its relationships and associations with other actors, campaigns, TTPs, threat bulletins, and vulnerabilities.
- Start with a known adversary and find previously unknown adversaries associated with it
- Confirm a hunch or answer a query, such as the number of file indicators associated with a vulnerability
- Visually pivot, expand, and explore relationships and associations for any indicator
- Enhance indicators with WhoIs, VirusTotal, PassiveDNS, and Symantec Intelligence services
Go with Anomali and improve your security posture
Organizations rely on Anomali to harness the power of threat intelligence to make effective cybersecurity decisions that reduce risk and strengthen defenses.