The identification of cyber attack patterns through infrastructure analysis has emerged as a crucial methodology in modern threat intelligence.
By examining the digital footprints left by threat actors, security analysts can now reconstruct attack campaigns and attribute them to specific groups with increasing accuracy.
Recent research from Kudelski Security demonstrates how cross-referencing between public and private information sources creates comprehensive infrastructure diagrams that yield actionable intelligence for long-term security operations.
When investigating cyber attacks, security professionals focus on identifying similarities, recurring patterns, pivot points, and historical data to establish connections between different campaigns.
This approach was recently demonstrated in an analysis of a phishing campaign targeting U.S. and Israeli government officials.
By mapping the attack infrastructure, researchers at Kudelski Security attributed the campaign to the Iranian group Pioneer Kitten (UNC757), which has conducted numerous intrusions against organizations globally since 2017.
The analysis revealed a network of interconnected IP addresses mostly linked to a specific hosting provider.
Mapping and enriched IPs from the attack (Source – Kudleskisecurity)
The mapping and enrichment of these IPs provided crucial insights into the attack structure. Further investigation uncovered potential overlaps with other threat actors, highlighting how infrastructure is sometimes shared or repurposed across different campaigns.
Effective infrastructure analysis requires meticulous documentation and structured approaches to clustering.
Reconstitution and enriched IOCs from the attack (Source – Kudleskisecurity)
While the reconstitution and enrichment of Indicators of Compromise (IOCs) enables analysts to visualize the complete attack chain. This process involves tracking historical DNS data, domain registrations, and server configurations to identify operational patterns unique to specific threat actors.
Infrastructure Tracking Methodology for Attribution
The Diamond Model serves as a foundational framework for analyzing adversaries by examining four key elements of an intrusion.
Diamond model of the assessed attack (Source – Kudleskisecurity)
This model provides a structured approach to correlating various aspects of an attack, from the adversary’s capabilities to their victims and infrastructure.
Security analysts utilize this model to develop comprehensive profiles of threat actors over time, enabling more accurate attribution and prediction of future activities.
A critical aspect of infrastructure analysis involves tagging and clustering identified networks using consistent naming conventions.
For instance, a North Korean infrastructure might be tagged as [NK-NET-LC-08282024-CL-01], where each element represents specific attributes such as country code, confidence level, and discovery date.
Reconstituted infrastructure from North Korean IT workers (Source – Kudleskisecurity)
This systematic approach allows analysts to track infrastructure evolution over months or years, revealing valuable insights about threat actor behaviors and operational connections.
Complete mapping of a North Korean infrastructure (Source – Kudleskisecurity)
When analyzing threat actor infrastructure, it’s essential to consider multiple intelligence sources and differing attribution methodologies.
North Korean activity matrix (Source – Kudleskisecurity)
The activity matrix shows how researchers can map an attacker’s organization, identify operational hierarchies, and distinguish between military and civilian operations conducted by groups like Lazarus.
