using threat intelligence to trace attackers -- part 3 uses threat intelligence to investigate attackers

Posted by deaguero at 2020-03-11

Like to see the full version of you, use threat intelligence to investigate attackers, this is the full version, like to see you poke it in, welcome to support my basic friend's action ~ \ (≥ del ≤)/~

We talked about the classification of Threat Intelligence and advanced threat analysis methods. Next, let's talk about how Li uses Threat Intelligence to investigate attackers. (for some well-known reasons, I won't mention some of the data in it, for fear of being checked)

After the first two parts, we can now get some infrastructure information of the attacker, so the events we encounter are like this:

I used some long-term data to make a sample. Now I fill in some data, so it's like this:

The above are several points we can determine through the analysis of the whole event. First of all, from the results of our analysis of the whole event, we can get several very obvious data points:

OK analysis here we can have a general understanding of the attacker:

In fact, most of the cases we encounter are like this, but leaders often ask: can you find out who did this?

0x05 use threat intelligence to analyze the attacker:

We use threat intelligence to investigate the attacker. First, we analyze his infrastructure from IP and domain names. Through threat intelligence platform to query this IP, we query on the mainstream intelligence platform, and the results are as follows.

Well, it seems that there are many marked places. At this time, we can think that this IP is a malicious IP (isn't that bullshit!!!) In fact, after analyzing the infrastructure, we should take a look at the large network traffic of this server.

This trend is OK, not so rampant. The peak value is about 10K. In fact, dshield data can see socket information. I will not paste it here. We find that a group of socket data is interesting:

23.xx.xx.58:80 -> 58.xx.xx.163:4120

The IP in the back keeps visiting the IP in the front, and the frequency is high. Therefore, we have carried out a survey on this IP. Because there are many posters in the front, we will post fewer.

Yo, it's terrible, and there's a collision. Let's take a look at the origin of this IP. By using our open ddosmon, we can see that this IP has launched some DDoS attacks (the mosaic IP is the attacked IP, thanks for @ Yang Xu's reminder):

Let's see where this IP is?

Well, it's basically clear now. However, the individual still feels that there is a probability problem, so the results are only for reference. In fact, the complete content traced out at the end is shown in the figure:

Let's write so much first. In fact, I didn't investigate the real identity of this IP, because it's meaningless. As I said before, the impact of this attacker can be completely resisted by our security defense system. We don't need to find out who this person is. But because we need to satisfy the curiosity of leaders, we can only investigate the attacker In the end, I wish you to catch more hackers, but we must do so under the condition of supervision. The end of this article.