Monday 28 March 2016

Clustering the Threat Landscape

Much of threat intelligence is grouping together information to identify common traits in attackers.
To that end, I wrote a quick python script to identify common indicators in reports in Alienvault's OTX platform. You can see the output of this script in the image below, with some of the more interesting clusters annotated:



This isn't a perfect method - there are some odd links there that I wouldn't expect to see. But there are also some very interesting overlaps highlighted between disparate clusters of attacks that identify possible links between groups.

You can download and browse through the Maltego file [here] - and some of the clusters are displayed below.
Update: You can download the source file [here], to see what indicators reports overlap on. It's trimmed to the first indicator for each overlap.

BlackEnergy

Carbanak with a report on more commodity malware connected via the domain trader562[.]com


Lots of overlaps with Chinese APT


RocketKitten


Sony Attacks