Kudelski Security Research has recently published an in-depth analysis of threat actor infrastructure tracking, offering valuable insights into cyber attack patterns and attribution techniques.
The article presents methodologies for clustering and identifying the purpose of malicious infrastructure, emphasizing the importance of cross-referencing public and private information sources.
Decoding Threat Actor Infrastructure
The researchers used a phishing campaign targeting U.S. and Israeli government officials as a case study.
By mapping and enriching IP addresses associated with the attack, they attributed the campaign to the Iranian group Pioneer Kitten (UNC757).
The analysis revealed that most of the IPs were linked to a single hosting provider, demonstrating a common tactic employed by threat actors.
Further investigation uncovered a potential overlap with the Gamaredon group through historical DNS data analysis.
The domain “hopers[.]ru” was observed resolving to the same IP address (206.71.148[.]78) as the domain “cloud.sophos[.]one” used by Pioneer Kitten, highlighting the importance of tracking historical data to map threat actor behaviors.
Advanced Analysis Techniques
The article emphasizes the significance of the Diamond Model in Cyber Threat Intelligence (CTI) for analyzing adversaries and their intrusions.
This model examines four key elements and can be stored in open CTI platforms or dedicated databases for long-term utility.
The researchers stress the importance of maintaining structured intelligence to identify overlaps, detect recurring patterns, and accelerate future investigations.
To illustrate the process of clustering different infrastructures, the article presents a case study using intelligence gathered from a leak related to North Korean IT workers.
The researchers reconstructed a complete infrastructure based on a PuTTY configuration file, demonstrating how disparate infrastructure elements can be pieced together to reveal a more comprehensive picture of an adversary’s network.
The article addresses the lack of standardized naming conventions in threat intelligence, attributing it to various factors such as unique perspectives on malicious infrastructure, malware, clusters, and TTPs.
The researchers highlight the importance of analyzing infrastructure based on open-source data while considering multiple viewpoints, including the geopolitical context and potential biases in attribution.
It underscores the critical role of continuous analysis in refining assessments, identifying behavioral overlaps, and tracking the evolution of threat actor infrastructure.
By employing these advanced techniques and maintaining a comprehensive intelligence database, security professionals can better anticipate and mitigate cyber threats in an ever-evolving landscape.
