Group-IB Network graph

2019: Submission of the solution for the graph analysis of network infrastructure

On November 8, 2019 the Group-IB company made public the internal development for the graph analysis of network infrastructure, capable for several seconds to build communications between separate data, to attribute the attack to specific hacker group, to investigate and predict the threats relevant for the specific organization or the industry.

The patented technologies of the network graph of Group-IB are integrated in public products of the company Threat Intelligence and Threat Detection System. This step from Group-IB is designed to help analysts situational centers and CERT (The centers of response to incidents), to experts on to cyberinvestigation and computer to criminalists to investigate tactics and infrastructure of attacking, to improve own system security and to enrich the skills in the field of Hunting.

According to the developer, the network graph of Group-IB was created within several years, being constantly enriched at the expense of the indicators received during the investigation of cybercrimes, responses to cyberincidents, the analysis of the malware and other threats detected by the Threat Intelligence and Threat Detection System systems. The array of historical data on attacking collected in 16 years of work includes billions of records about domain names, the IP addresses, digital fingerprints of the servers involved in the attacks and also profiles of certain hackers and groups.

According to the statement of the developer, the network graph of Group-IB gives the chance to leave from "crude" indicators of a compromise to a research attacking and to management of the threats relevant for specific business. The analyst using him in the products Group-IB enters into a search line the domain, the IP address, email or a print of the SSL certificate, and a system in the automatic mode the graph showing interrelations builds: information on domain names, IP addresses, digital fingerprints of servers, etc. In spite of the fact that the majority of attacking — especially cybercriminal and APT groupings — try to work is most reserved in network, most of them at the beginning of the way made mistakes and paid not enough attention to the anonymity.

"Without knowledge of the one who poses for you a threat it is impossible to be protected from attack and to prevent damage. We studied dozens of suppliers of different graphs before came that we need own development. Any of the analyzed graphs did not contain complete collections of historical data: domains, Passive DNS, Passive SSL, DNS records, open ports, the started services on ports, the files interacting with domain names and the IP addresses. We began to create such collections, including all updates in them with the different depth reaching 15 years. We did not accept manual creation of the graph at other suppliers and we completely automated the graph. In response to the huge volume of "garbage communications" which give other products we trained our system to reveal irrelevant elements on the same logic as it was done by our experts by hands. A task of our graph – Hunting, faultless attribution and deep a research attacking. For November, 2019 this tool is available in our products", 'Dmitry Volkov, CTO Group-IB, the Head of Department of Threat Intelligence noted'

As noted in Group-IB, the graph allows not only to find coupled elements, but also to reveal the general properties — the patterns characteristic of a certain hacker group. Knowledge of these unique signs allows to distinguish infrastructure attacking at a stage of preparation and even without certificates confirming the attack such as phishing letters or malware.

In a case with investigation phishing attacks, Internet-frauds or piracy activity, analysts of Group-IB graphs of the connected network resources automatically build and check everything found hosts on existence of similar content. It allows to reveal as old phishing sites which were active, but are unknown, and absolutely new which are prepared for future attacks, but are not used yet.

Besides, the network graph helps by search of backends — a server part: 99% of kardshop, hacker forums, a set of phishing resources and other harmful servers hide both behind own proxy servers, and for a proxy of legitimate services. Knowledge of real arrangement of the vredronosny server will roll to set hosting provider and also to construct communications with other harmful projects of malefactors, emphasized in Group-IB.