6 Post Tagged as know your foe

Reflections on Know Your Foe

Back in June, when Steve and I re-designed our website, one fact was clear - we wanted to provide a quick summary of the analysis workflow and thus, the learn page was born. Inspired by the success of the page, we began the “Know Your Foe” blog series to tackle some of the many challenges analysts face when researching threat infrastructure.

We didn’t think it would gain as much traction as it has, but

read more

Know Your Foe: Who's Behind the WHOIS

Thousands of times a day, domains are bought and/or transferred between individuals. The process to make all of this happen is easy and only takes a few minutes and roughly $7 depending on the registrar provider. Beyond payment details, you must provide additional information about yourself, some of which gets stored as part of a WHOIS record once the domain has been setup.

WHOIS is a protocol that lets anyone query for information about

read more

Know Your Foe: The Providers of Things

The Internet is a big, big place and will only increase once IPv6 is more widely adopted. Living amongst the backbone routing, networked refrigerators and live drone feeds exists a just as critical set of services, hosting providers. The term itself is a bit misleading as it doesn't just pertain to website providers like GoDaddy or 1&1 or Google, but also encompasses additional services like content delivery networks (CDNs) and virtual private servers

read more

Know Your Foe: All the Routes - Subnets and Autonomous Systems

Your network security team just informed you they found malicious code on the network beaconing to 103.15.122.107. First thought, what other infrastructure might be related to the IP address? Naturally, if one data point is good than hundreds must be better. You notice the IP address is part of a larger class C address space (103.15.122.0/24), so you scan the entire subnet and wait for results. Just then,

read more

Know Your Foe: It Might Be a Sinkhole If...

One of the most effective methods for tracking actor-based attack campaigns is to take control of as much of their infrastructure as possible and remove their access to infected hosts before they can react. The processing of takeovers can vary, but often times registrars or hosting providers will provide the defenders (good guys) with the ability to re-route incoming traffic to a server they control in order to perform analysis of the compromised check-ins. This

read more