Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


threat intelligence: clue expansion

Posted by melchionda at 2020-02-25

Here we only talk about the development of clues with the help of public information, but in the process of using real clues, more needs to be specific to the scene.

So a lot of information is more likely to come from the platform they guard, rather than the Internet.


The conventional analysis and mining ability is a process from 0 to 1, while the clue development is a process from 1 to 2, and then from 2 to 10.

Most of the time, clue extension seems to be social engine, but in fact, the information behind each se is to associate more information dug later with the original clue.

However, the embarrassment of clue development lies in this.

Because in many cases, when the clue finally changes from 1 to 10, the clue developers are at a loss and don't know how to use the rich clues.

In my opinion, the clue itself is lifeless, no matter how many clues are obtained, it is the same.

The vitality of the clue should come from its tracking ability in the landing scene - a C & C may expand nine related domain names, but these nine show that the enabled C & C is still not enabled, or even registered for other purposes, which requires the verification ability in the scene.

For intelligence service providers, verification capabilities may come from active detection. For intelligence users, verification may come from behavior monitoring in the log.

And some people may feel that the clues cannot be deepened due to the lack of information landing scene.

Actually, I also wrote an article with YY but practical effect before this question -- Ti feed: I don't need a list

One of the more confusing aspects of online cable expansion is human clues.

In the process of Se, it is easy to develop the clue into a human flesh process of a team due to the entanglement of human clues. In most cases, no matter how clear the results of human flesh are, they are of no value - unless there are some means that I don't say you know can do something to this person.

So human information is basically used to connect all the clues. Most of the time, human information is used to verify whether the nine clues mined are strongly related to the original one.

So, the relevance of clues is mentioned here.

There are two ways of thinking about the relevance of clues, one is a broader multi-dimensional verification, the other is a deeper single dimension verification, and the dimension here is not only the technical dimension.

For example, in some analysis reports, it seems unreasonable for me to judge the strong connection between two clues by only one ID dimension. My method is to put two IDS in their respective sources, and then mine the information in these sources for association verification.

For example, ID appears on two social platforms. If two social platforms send identical pictures by this ID in a short period of time, then this is a kind of strong connection - this is also the question of human clues mentioned above.

In addition to this in-depth way, the verification of a single dimension can also rely on some authoritative ways. For example, multiple information points to the same company in business query. At this point, I will choose to believe in the authority of such information.

And the way to realize multi-dimensional verification in a wide range of aspects will be simpler, and there will be no examples.

For the above mentioned, please refer to the picture (here is the folded picture, click to read the original text to see the full large picture / 283kb)

**It's hard to write as you like. Please leave a message**