Threat Hunting: How Group-IB's Graph Network Analysis Helps Predict Cybercriminal Activity, Even Before it Happens

SINGAPORE, Nov. 18, 2019 /PRNewswire/ -- Group-IB, a Singapore-based cybersecurity company that specializes in preventing cyberattacks, has launched a new tool for its customers, which helps to predict and attribute attacks, even before they can occur. The company has granted its clients access to the company's internal tool for graph network analysis, which is capable of identifying links between scattered data, attributing an attack to a specific hacker group in seconds, as well as predict possible threats that are relevant to a particular organization or industry.

Group-IB's patented graph network analysis technologies are integrated in almost all the company's products. The company's decision to make its internal tool available to clients aims to help SOC and CERT analysts, threat intelligence experts and forensic researchers explore the tactics and infrastructure of the attackers, while also improving their own cybersecurity systems and boosting their threat hunting skills.

Group-IB's graph network analysis was designed based on indicators of compromise found during years of cybercrime investigations, incident response operations and malware analysis by Threat Intelligence and Threat Detection System. The historical data on cybercriminals, gathered in 16 years, includes billions of records from domain names, IP addresses, server digital fingerprints, which have been used in attacks, as well as tagging them to specific hackers or groups.

"It is nearly impossible to protect oneself against attacks and prevent possible damage without knowledge of their enemies," commented Dmitry Volkov, Group-IB CTO and Head of Threat Intelligence. "We had considered dozens of graph network analysis providers before deciding to develop our own instrument. We did not find a single solution that met all our requirements. None of the graphs had the entire scope of historical data: domains, Passive DNS, Passive SSL, DNS records, open ports, services running on ports, and files that have connections with domain names and IP addresses. We started gathering such data records ourselves, updating them on an ongoing basis, with some of them covering a period of 15 years. We also did not like the fact that other solutions provided options only for manual graph creation, therefore, we built our graph to be completely automated. To tackle the problem of irrelevant links that is common for other products, we have taught our system to identify irrelevant links. The main goal of Group-IB's graph is threat hunting, the most accurate attribution and the deepest analysis of adversaries."

Hunting: evolution

Group-IB graph network analysis leaves unverified indicators of compromise behind, and focuses on the attacker examination and threat management that are relevant to a particular business area. Analysts using Group-IB graph network analysis can type a suspicious domain, an IP address, email or SSL certificate fingerprint in the search bar, after which the system automatically creates a network graph based on the search element that shows linked domains, IP addresses, digital fingerprints and etc. Despite the fact that the majority of the attackers - specifically cybercriminal and APT groups - try to remain undetected online, the majority of them paid much less attention to their anonymity and operational security and resulting made mistakes at the beginning of their criminal journey.

Graphs help to identify not only linked elements but also common features - patterns that characterize one specific cybercriminal group to another. The knowledge of such unique features helps to identify the elements of the attackers' infrastructure at the attack preparation stage even without evidence confirming the attack such as phishing emails or malware.

For example, in December 2018, Cobalt hacker group, which is known for targeting banks, sent out emails disguised as the National Bank of Kazakhstan. If cybersecurity experts, for example, had not found the phishing emails and did not have an opportunity to carry out the comprehensive analysis of malicious files, they could have created a graph based on the malicious domain nationalbank[.]bz, used by the cybercriminals. The created graph would have immediately shown the links to other malicious domains and Cobalt cybercriminal group, revealing what files have already been used in earlier attacks.

When Group-IB investigates phishing attacks, the activities of fake or pirate web sources, the company's experts normally create graphs to identify linked web sources and check all the found hosts for analogous content. This enables Group-IB to find both old phishing pages, which remained active but undetected, and absolutely new phishing pages, which were created for future attacks and were not utilized so far.

Moreover, the graph network analysis is indispensable in searching for backends: 99 percent of cardshops, hacker forums, numerous phishing resources and other malicious servers are hiding both behind their own proxy servers and legitimate ones. The knowledge of the real location of a malicious server helps identify the hosting service and create links to other malicious projects of the threat actors.

Contact:
Sergei Turner
+65 3159 3798
229248@email4pr.com

View original content to download multimedia:http://www.prnewswire.com/news-releases/threat-hunting-how-group-ibs-graph-network-analysis-helps-predict-cybercriminal-activity-even-before-it-happens-300959177.html

SOURCE Group-IB