Full Report
Graph neural networks aid in analyzing domains linked to known attack indicators, effectively uncovering new malicious domains and cybercrime campaigns. The post One Step Ahead in Cyber Hide-and-Seek: Automating Malicious Infrastructure Discovery With Graph Neural Networks appeared first on Unit 42.
Analysis Summary
The provided article summary focuses on the *methodology* of infrastructure discovery using automated pivoting and Graph Neural Networks (GNNs) applied to three specific campaign types, rather than detailing a specific piece of malware or a single TTP. Therefore, the core "Tool/Technique" described is the **Adversary Infrastructure Discovery via Automated Pivoting and GNNs**.
# Tool/Technique: Adversary Infrastructure Discovery via Automated Pivoting and GNNs Analysis
## Overview
This process describes a defensive methodology leveraging automated pivoting on known indicators (like network artifacts) and training a Graph Neural Network (GNN) to discover evolving, related malicious infrastructure, specifically focusing on domains associated with phishing and skimmer campaigns.
## Technical Details
- Type: Technique (Defensive Methodology/Analysis Technique)
- Platform: Primarily network-focused analysis infrastructure; targets indicators related to web-based attacks (phishing, skimming).
- Capabilities: Automatic discovery of new related malicious domains, proactive threat hunting across evolving infrastructure, utilizing relationship mapping (network crawler).
- First Seen: Not explicitly stated, derived from the context of machine learning applications in security.
## MITRE ATT&CK Mapping
*Note: Since this is a defensive technique applied *against* threat actors, the mapping below reflects the common TTPs targeted by this discovery method, rather than the discovery method itself.*
- [TA0011 - Command and Control]
- [T1568 - Dynamic Resolution]
- [T1568.002 - Domain Generation Algorithms (DGA)]
- [T1071 - Application Layer Protocol]
- [T1071.001 - Web Protocols (HTTP/HTTPS)] (Relevant for phishing/skimmer infrastructure)
## Functionality
### Core Capabilities
- **Indicator Pivoting:** Leveraging known indicators (domains, network artifacts) to find connected infrastructure.
- **Relationship Mapping:** Using a network crawler to establish connections among domains.
- **Machine Learning Application:** Training a Graph Neural Network (GNN) to classify and detect additional malicious domains based on learned relationships.
### Advanced Features
- **Proactive Discovery:** Enabling defenders to stay ahead of actors who frequently reuse or rotate infrastructure for campaigns (postal phishing, credit card skimming, financial phishing).
## Indicators of Compromise
- File Hashes: N/A (Focus is on network artifacts)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: The specific discovered indicators from the three case studies are not detailed in the summary, but the methodology targets malicious URLs and domains.
- Behavioral Indicators: Network traffic indicative of phishing or credential harvesting activities associated with the discovered infrastructure.
## Associated Threat Actors
- Threat actors running large-scale, automated campaigns involving:
- Postal services phishing campaigns
- Credit card skimmer campaigns
- Financial services phishing campaigns
## Detection Methods
- Signature-based detection: Applicable to known samples associated with the campaigns (as covered by Advanced WildFire).
- Behavioral detection: **Advanced URL Filtering** and **Advanced DNS Security** are mentioned as proactive methods used by customers to detect malicious URL infrastructure.
- YARA rules: Not explicitly mentioned.
## Mitigation Strategies
- **Advanced URL Filtering:** Protection against malicious URLs associated with the discovered infrastructure.
- **Advanced DNS Security:** Proactive protection by monitoring and blocking resolutions to newly discovered malicious domains.
- **Advanced WildFire:** Sandbox analysis for associated malware samples.
## Related Tools/Techniques
- Graph Neural Networks (GNNs) for security analysis.
- Network Crawling technologies applied to threat intelligence gathering.