Group-IB, an international cybersecurity company that specializes in preventing cyberattacks, has launched a new tool for clients, which helps to predict and attribute attacks, even before they can occur. The company has granted its clients access to the company’s internal tool for graph network analysis, which is capable of identifying links between scattered data, attributing an attack to a specific hacker group in seconds, as well as examine and predict possible threats that are relevant to a particular organization or industry.
Group-IB’s patented graph network analysis technologies are integrated in the company’s products, namely Threat Intelligence, Threat Detection System, Secure Bank and Brand Protection Service. The company’s decision to make its internal tool available to clients aims to help SOC and CERT analysts, threat intelligence experts and forensic researchers explore the tactics and infrastructure of the attackers, while at the same time improving their own cybersecurity systems and boosting their threat hunting skills.
Group-IB graph network analysis was designed based on indicators of compromise found during years of cybercrime investigations, incident response operations and malware analysis by Threat Intelligence and Threat Detection System. The historical data on cybercriminals, gathered in 16 years, includes billions of records from domain names, IP addresses, server digital fingerprints, which have been used in attacks, as well as tagging them to specific hackers or groups.
Group-IB CTO and Head of Threat Intelligence
Group-IB graph network analysis leaves unverified indicators of compromise behind and focuses on the attacker examination and threat management that are relevant to a particular business area. Analysts using Group-IB graph network analysis can type a suspicious domain, an IP address, email or SSL certificate fingerprint in the search bar, after which the system automatically creates a network graph based on the search element that shows linked domains, IP addresses, digital fingerprints and etc. Despite the fact that the majority of attackers — specifically cybercriminal and APT groups — try to remain undetected online, the majority of them have paid much less attention to their anonymity and operational security and resulting have made mistakes at the beginning of their criminal journey.
Graphs help to identify not only linked elements but also common features — patterns that characterize one specific cybercriminal group to another. The knowledge of such unique features helps to identify the elements of the attackers’ infrastructure at the attack preparation stage even without evidence confirming the attack such as phishing emails or malware.
For example, in December 2018, Cobalt hacker group, which is known for targeting banks, sent out emails disguised as the National Bank of Kazakhstan. If cybersecurity experts, for example, had not found the phishing emails and did not have an opportunity to carry out the comprehensive analysis of malicious files, they could have created a graph based on the malicious domain nationalbank[.]bz, used by the cybercriminals. The created graph would have immediately shown the links to other malicious domains and Cobalt cybercriminal group, revealing what files have already been used in earlier attacks.
When Group-IB investigates phishing attacks, the activities of fake or pirate web sources, the company’s experts normally create graphs to identify linked web sources and check all the found hosts for analogous content. This enables Group-IB to find both old phishing pages, which remained active but undetected, and absolutely new phishing pages, which were created for future attacks and were not utilized so far.
Moreover, the graph network analysis is indispensable in searching for backends: 99 percent of cardshops, hacker forums, numerous phishing resources and other malicious servers are hiding both behind their own proxy servers and legitimate ones. The knowledge of the real location of a malicious server helps to identify the hosting service and create links to other malicious projects of the threat actors.