The purpose of this threat intelligence research is to identify new methods for identifying malicious infrastructure. Today, multiple sources on the Web provide blacklists with IP addresses and URLs suspected of being used in malicious activity. Typically these lists are populated with information from honeypots and intrusion detection systems, for example.
This work was inspired in part by the MLSec project , which shows that different blacklists typically contain significant overlap. This inspired us to find methods to detect new, potentially malicious IP addresses that can be found in ways that are complementary to the methods used to populate these lists.
We believe that new information can be derived and additional suspected malicious infrastructure can be identified by analyzing open and dark Web sources that relate malware of various kinds to IP addresses and URLs. In this study, we use the Recorded Future Web index to identify IP address candidates mentioned in suspicious contexts, such as known malware. One might think of this as similar to deciding the shadiness of a bar: if you see one criminal walk in it might be just chance, but if you see two or more this is likely not a place you should visit!
For this project, Recorded Future analyzed 890,000 documents that mention malware (including Web pages, tweets, and pastes) from nearly 700,000 Web sources that Recorded Future tracks, for the time period from January 1, 2014 to August 2, 2015. Sources span from big media to cyber security blogs, social media, forums, and paste sites. A total of 1,408 different malware were mentioned in these documents, and of these, we chose to analyze only 322 that have a defined category in the Recorded Future Cyber Ontology3 and were not categorized as Adware (which we see as not being truly malicious). This restriction improves the meaningfulness of our analysis.
2015 Energy Industry Cybersecurity Report
Strategic Cybersecurity: A Toolkit for Prioritizing, Coordinating, and Transforming Your Cybersecurity Program