Report an incident

Get 24/7 incident response assistance from our global team

Talk to sales

Just fill out the form, and our representative will contact you soon.

Join the Cybercrime Fighters Club

Please review the following rules before submitting your application:

1. Our main objective is to foster a community of like-minded individuals dedicated to combatting cybercrime and who have never engaged in Blackhat activities.

2. All applications must include research or a research draft. You can find content criteria in the blog. Please provide a link to your research or research draft using the form below.

Threat Hunting: How Group-IB’s Graph Network Analysis helps predict cybercriminal activity, even before it happens

Media Center Press Releases
November 18, 2019 · 5 min to read
Dmitry Volkov
Managed XDR
Threat Intelligence

Group-IB, an international cybersecurity company that specializes in preventing cyberattacks, has launched a new tool for clients, which helps to predict and attribute attacks, even before they can occur. The company has granted its clients access to the company’s internal tool for graph network analysis, which is capable of identifying links between scattered data, attributing an attack to a specific hacker group in seconds, as well as examine and predict possible threats that are relevant to a particular organization or industry.

Group-IB’s patented graph network analysis technologies are integrated in the company’s products, namely Threat Intelligence, Managed XDR, Fraud Protection and Digital Risk Protection. The company’s decision to make its internal tool available to clients aims to help SOC and CERT analysts, threat intelligence experts and forensic researchers explore the tactics and infrastructure of the attackers, while at the same time improving their own cybersecurity systems and boosting their threat hunting skills.

Group-IB graph network analysis was designed based on indicators of compromise found during years of cybercrime investigations, incident response operations and malware analysis by Threat Intelligence and Threat Detection System. The historical data on cybercriminals, gathered in 16 years, includes billions of records from domain names, IP addresses, server digital fingerprints, which have been used in attacks, as well as tagging them to specific hackers or groups.

It is nearly impossible to protect oneself against attacks and prevent possible damage without knowledge of their enemies. We had considered dozens of graph network analysis providers before deciding to develop our own instrument. We did not find a single solution that met all our requirements. None of the graphs had the entire scope of historical data: domains, Passive DNS, Passive SSL, DNS records, open ports, services running on ports, and files that have connections with domain names and IP addresses. We started gathering such data records ourselves, updating them on an ongoing basis, with some of them covering a period of 15 years. We also did not like the fact that other solutions provided options only for manual graph creation, therefore, we built our graph to be completely automated. To tackle the problem of irrelevant links that is common for other products, we have taught our system to identify irrelevant links based on the logic of our experts who did it previously in manual mode. The main goal of our graph is threat hunting, the most accurate attribution and the deepest analysis of adversaries. This instrument is now available in our products.

Dmitry Volkov
Dmitry Volkov

Group-IB CTO and Head of Threat Intelligence

Hunting: evolution

Group-IB graph network analysis leaves unverified indicators of compromise behind and focuses on the attacker examination and threat management that are relevant to a particular business area. Analysts using Group-IB graph network analysis can type a suspicious domain, an IP address, email or SSL certificate fingerprint in the search bar, after which the system automatically creates a network graph based on the search element that shows linked domains, IP addresses, digital fingerprints and etc. Despite the fact that the majority of attackers specifically cybercriminal and APT groups try to remain undetected online, the majority of them have paid much less attention to their anonymity and operational security and resulting have made mistakes at the beginning of their criminal journey.

Graphs help to identify not only linked elements but also common features patterns that characterize one specific cybercriminal group to another. The knowledge of such unique features helps to identify the elements of the attackers’ infrastructure at the attack preparation stage even without evidence confirming the attack such as phishing emails or malware.

For example, in December 2018, Cobalt hacker group, which is known for targeting banks, sent out emails disguised as the National Bank of Kazakhstan. If cybersecurity experts, for example, had not found the phishing emails and did not have an opportunity to carry out the comprehensive analysis of malicious files, they could have created a graph based on the malicious domain nationalbank[.]bz, used by the cybercriminals. The created graph would have immediately shown the links to other malicious domains and Cobalt cybercriminal group, revealing what files have already been used in earlier attacks.

When Group-IB investigates phishing attacks, the activities of fake or pirate web sources, the company’s experts normally create graphs to identify linked web sources and check all the found hosts for analogous content. This enables Group-IB to find both old phishing pages, which remained active but undetected, and absolutely new phishing pages, which were created for future attacks and were not utilized so far.

Moreover, the graph network analysis is indispensable in searching for backends: 99 percent of cardshops, hacker forums, numerous phishing resources and other malicious servers are hiding both behind their own proxy servers and legitimate ones. The knowledge of the real location of a malicious server helps to identify the hosting service and create links to other malicious projects of the threat actors.

About Group-IB

Founded in 2003 and headquartered in Singapore, Group-IB is a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime. Combating cybercrime is in the company’s DNA, shaping its technological capabilities to defend businesses, citizens, and support law enforcement operations.

Group-IB’s Digital Crime Resistance Centers (DCRCs) are located in the Middle East, Europe, Central Asia, and Asia-Pacific to help critically analyze and promptly mitigate regional and country-specific threats. These mission-critical units help Group-IB strengthen its contribution to global cybercrime prevention and continually expand its threat-hunting capabilities.

Group-IB’s decentralized and autonomous operational structure helps it offer tailored, comprehensive support services with a high level of expertise. We map and mitigate adversaries’ tactics in each region, delivering customized cybersecurity solutions tailored to risk profiles and requirements of various industries, including retail, healthcare, gambling, financial services, manufacturing, crypto, and more.

The company’s global security leaders work in synergy with some of the industry’s most advanced technologies to offer detection and response capabilities that eliminate cyber disruptions agilely.

Group-IB’s Unified Risk Platform (URP) underpins its conviction to build a secure and trusted cyber environment by utilizing intelligence-driven technology and agile expertise that completely detects and defends against all nuances of digital crime. The platform proactively protects organizations’ critical infrastructure from sophisticated attacks while continuously analyzing potentially dangerous behavior all over their network.

The comprehensive suite includes the world’s most trusted Threat Intelligence, The most complete Fraud Protection, AI-powered Digital Risk Protection, Multi-layered protection with Managed Extended Detection and Response (XDR), All-infrastructure Business Email Protection, and External Attack Surface Management.

Furthermore, Group-IB’s full-cycle incident response and investigation capabilities have consistently elevated industry standards. This includes the 77,000+ hours of cybersecurity incident response completed by our sector-leading DFIR Laboratory, more than 1,400 successful investigations completed by the High-Tech Crime Investigations Department, and round-the-clock efforts of CERT-GIB.

Time and again, its solutions and services have been revered by leading advisory and analyst agencies such as Aite Novarica, Gartner®, Forrester, Frost & Sullivan, KuppingerCole Analysts AG, and more.

Being an active partner in global investigations, Group-IB collaborates with international law enforcement organizations such as INTERPOL, EUROPOL and AFRIPOL to create a safer cyberspace. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.

Read next
Top Women in Security ASEAN Awards 2025
November 13, 2025
Group-IB’s High-Tech Crime Investigations team triumphs at Top Women in Security ASEAN Awards 2025
October 21, 2025
Group-IB launches Asia-Pacific’s first Cyber Fusion Center in Singapore
October 9, 2025
Group-IB Intelligence Powers Spanish Guardia Civil Operation to Dismantle the “GXC Team” Cybercrime Syndicate
September 30, 2025
Group-IB and Cyber Samurai join forces to enhance cyber resilience in the DACH region
September 26, 2025
Group-IB supports INTERPOL’s “Operation Contender 3.0”, leading to the arrest of 260 suspects in Africa
September 25, 2025
Group-IB Unites Partners to Strengthen Turkey’s Cybersecurity Landscape
Go to all Press Releases →