Exposing Malicious Infrastructure: Detecting Fast Flux, Spotting Recurring Patterns, and Monitoring Dead Giveaway Signals

This discussion with John Jensen, Founder & CTO at Silent Push, unfolds the practical limitations of predicting attacks based on domain and IP intelligence, and how attackers abuse CDNs and cloud services to mask campaigns. 

Jensen, a former FireEye research leader, brings deep expertise in DNS traffic analysis, threat attribution, and preemptive cyber defense, with patents in domain-based risk detection

We learned about malicious infrastructure, automation, and modularization for fingerprinting modular phishing kits.

We also explored what infrastructure-based artifacts still give away phishing kits despite obfuscation. Read on to know more.

Vishwa: Silent Push emphasizes preemptive detection. What are the practical limitations of predicting attacks based on domain and IP intelligence, and how can those limits be addressed?

John: The first two practical limitations that often come to mind on this topic are identifying infrastructure before it has been spun-up, and identifying it before it has been weaponized. 

Addressing the first requires either clairvoyance (not applicable here) or advanced knowledge - the kind that is based on known metrics for an attacker, their campaigns (in both scale and scope), and the type of detections or fingerprints one needs in place on the right data set(s) in order to identify such infrastructure as it comes online. 

Addressing the second requires much the same, and is where our infrastructure variance metrics, change analytics, and peerless data really shine through. The ability to identify, attribute, and warn customers about soon-to-be-malicious infrastructure comes from a legion of different factors all working together in concert, which is why what we do here is so special.

Vishwa: Domain infrastructure is often the earliest signal of an attack. What patterns in newly registered domains most reliably reveal malicious intent before exploitation?

John: There are more than most would think, but some of the more reliable metrics are: 

• use of domain generation algorithms (DGA) for the domain itself
• rapid movement across different hosting providers (i.e., Fast Flux)
• presence on bulletproof hosting infrastructure

There is a wide range of other technical details that we tend to keep in-house to both better protect our customers and in order to not tip off threat actors as to how they can better obscure their infrastructure from defenders. 

Without getting too deep into specifics, different groupings of malicious infrastructure (especially when they ultimately belong to the same threat actor/group) all tend to share specific characteristics, and it is from those shared technical characteristics that attribution and analytical assessments can be made. 

At Silent Push, we have a number of proprietary hashes that were developed to support and streamline those assessments, as they enable us to definitively identify both exact-match and fuzzy-match (i.e., near-similar) infrastructure. We have discussed several of these a bit more openly on our threat intelligence blogs. I encourage your readers to refer to those.

Vishwa: Threat actors increasingly rotate hosting and DNS providers. How do you track adversary infrastructure that intentionally blends into legitimate internet traffic?

John: The key is establishing baselines of normal or expected movements for both benign and adversarial infrastructure. By monitoring both for changes, as well as for deviations across any of our pivotable fields, we can pierce the veil of threat actor obfuscation to tie disparate campaigns and seemingly unrelated infrastructure together.

For Fast Flux in particular, our platform makes it exceptionally easy. Simply enter the domain or IP of a piece of adversary (or suspected adversarial) infrastructure into our main search bar and find an easy-to-reference list on our Total View page of the various rotations it has been through (both recently and historically). 

We even have a handy graph to identify fast-flux infrastructure available on the same page under our "Infrastructure Variance" tab. Click on "IP Diversity" and if you see what looks like an escalating staircase -- you've found Fast Flux activity and can then step through each rotation as you continue to investigate.

Beyond this simple lookups, our proprietary infrastructure variance metrics measure this exact type of activity, our change data allows platform users identify these movements at scale (particularly in our exceptionally powerful, advanced "Domain Search" capability), and our indicator of future attack (IOFA) feeds, alongside our customer-only reporting, provide that information up front and in a readily digestible, easy-to-follow format.

Vishwa: Attackers are abusing Content Delivery Networks (CDNs) and cloud services to mask campaigns. What techniques can defenders use to separate hostile from benign activity in these shared environments?

John: We have written extensively about this in our research on Triad Nexus, which includes Funnull CDN (recently sanctioned by the US), and in our discussions on the topic of infrastructure laundering - a term we coined to describe such activity. 

The best advice we can provide defenders is to make sure they have access to the data and tools they need to sort the wheat from the malicious chaff here, and to pay attention to how these actors are mapping abuse of these services back to their actual infrastructure. 

For an actionable example, as the technical explanation is best supported with visuals, I would defer your readers to our infrastructure laundering blog.

Vishwa: Phishing kits are growing more modular and harder to fingerprint. What infrastructure-based artifacts still give them away despite obfuscation?

John: You'll have to forgive me here, as operational security is a primary consideration here at Silent Push. Threat actors are often among the first to read our public statements or blogs. 

So instead of giving away something that may educate our adversaries, I will instead say this: automation and modularization are not the 'fog of war' that threat actors consider them to be. They are instead the very weak links that defenders can seek to exploit to fingerprint these types of kits.

For automation, the scale and consistency are dead giveaways when you have access to the proper data for comparison, and that only gets more true as a given campaign ramps up. 

For modularization, standardization of a particular module in a kit is nearly as good as writing a defender's fingerprint for them. 

Sure, a given module may be swapped in or out, but by then we've already seen the whole proverbial bike - so changing the front or rear tire out for another doesn't help them hide from us.

Vishwa: Threat intelligence feeds are often overwhelming. What criteria should security teams use to prioritize indicators of compromise sourced from infrastructure monitoring?

John: I would never suggest reliance on IOCs, as responding to them is taking an inherently reactive stance to a past event. Security teams should focus on what a given threat actor actually controls, what they are spinning up or may soon repurpose to attack with in the future, and what metrics reveal either in order to adopt a proactive defensive stance that can actually stop attacks.

Think of it like this, if knowing is half the battle, then why focus on the battlefield your enemies have already abandoned? It's far more efficient to focus on where they are currently camped, what routes they are currently or will be taking, and what tactics they plan to use in the future. Only then can you make the best possible decisions.

Vishwa: Considering the rise of phishing and domain-based deception, what cybersecurity tools and practices would you recommend for both newcomers and expert practitioners to improve defenses?

John: Incorporate our ThreatCheck offering for its instant lookup capability against our IOFA feeds. Examine suspect or known malicious infrastructure in our platform to identify fingerprints by which all related attacker infrastructure can be blocked. Review our blogs and customer-only reporting to learn the latest methods by which defenders can map out IOFAs and protect themselves from an ever-expanding world of threats.