Graph Network Analysis
Automated graph network analysis system for cybercrime investigations, threat attribution, detection of phishing & fraud
Establishing links between cybercriminal groups, phishing attacks, botnets, and fraudulent transactions
Significantly increased rate of successful investigations
Detection of malicious domains and files just within seconds
Network graph use cases
Fast cybercrime investigations
Network infrastructure analysis helps to identify cybercriminals’ legitimate projects and contact details linked to his real identity
Proactive phishing hunting
All the resources connected to the fraudulent resource or phishing attack might be scanned for similar content to enhance detection
Global threat hunting
Attacker’s infrastructure exposure, both active and hidden, and at the attack preparation stage
Search for backends
Find servers hidden behind proxy services to identify the real hosting provider
Key users of graph analysis
SOC/CERT analysts
Threat Researchers
Threat Intelligence analysts
Digital Forensics specialists
Search data
Domain registration data
DNS – domain records, files, profiles, tags
Backend servers hidden by proxies
Service banners (domains, redirections, error codes)
Hidden registration data (IDs, hosting providers)
History of registration data, hosting-related transfers, set of services
Service fingerprints on IP addresses (cryptography, cookies, unique responses, etc.)
SSL certificate registration data (fingerprints, hosts, domains, email, etc.)
Case: phishing attack by Cobalt
In December 2018, Cobalt hacker group, which is known for targeting banks, sent out emails disguised as the National Bank of Kazakhstan. If cybersecurity experts had not found the phishing emails and did not have an opportunity to carry out the comprehensive analysis of malicious files, they could have created a graph based on the malicious domain nationalbank[.]bz, used by the cybercriminals. The created graph would have immediately shown the links to other malicious domains and Cobalt cybercriminal group, revealing what files have already been used in earlier attacks.
Group-IB solutions with incorporated graph network analysis
Threat IntelligenceAttack attribution framework for analyzing and managing adversaries
Threat Detection SystemAdversary-centric detection and proactive global threat hunting