One Step Ahead in Cyber Hide-and-Seek: Automating Malicious Infrastructure Discovery With Graph Neural Networks
Essential information
- Published
- 21/01/2025 18:17
- Modified
- 21/01/2025 18:48
- Tags
- 2025-01-14 2025-01-21 anunak aranuk aranuk/carbanak automated detection automation carbanak domain analysis graph neural networks infrastructure discovery malicious domains phishing skimmer threat hunting web skimming
- Related entities
- 103 observables, 1 intrusion sets (apt), 10 techniques (mitre), 1 malware, 22 others
Description
The report discusses an automated approach using graph neural networks to proactively detect malicious infrastructure employed by threat actors in cyber attacks based on known indicators. It examines the relationships between different types of indicators, such as co-hosted domains, malware delivery URLs, and SSL certificates, which can reveal connections between seemingly unrelated infrastructure. The approach involves training a graph neural network classifier on these relationships to identify new malicious domains and infrastructure. Three case studies are presented, highlighting the effectiveness of this approach in uncovering large-scale phishing campaigns targeting postal services, financial institutions, and web skimmer operations.