Imagine you are a Threat Hunter or a SECOPS Analyst. You were alerted to a possible suspicious IP Address communicating with a system within your network.
Questions you can use the IP address to answer are if it is anywhere else on the network, what systems or servers are communicating with it, whether its behavior indicates command and control beaconing, and if data is leaving the network to communicate with it. Overall, in and of itself, a single IP Address provides valuable - but limited - information. Even if the analyst initiates a block on that IP, an adversary can move the C2 communication channel to another entity entirely out of view.
After answering some of the questions above, the analyst should have more. Are there any finished threat intelligence articles that can link to that IP address? What other IP addresses or domains connect to it? What else can an analyst do to investigate this event or incident? Without some form of Threat Intelligence, an analyst would be lost, searching for the preverbal black box in a dark room wearing sunglasses.
In this blog, I will discuss a method for using Microsoft Defender Threat Intelligence (MDTI) to illuminate this dark room, uncovering previously unknown relationships in a technique known as Infrastructure Chaining. Infrastructure Chaining is crucial to a security analyst or threat hunter to investigate the relationships between connected datasets, which allows them to develop an investigation into events or incidents on their network.
So, if we start with an IP Address of 45.9.148[.]108, we can search on MDTI and see that IP Address has a reputation score of malicious. We can also see some quick information about that IP address, such as the first and last seen dates, the netblock, the ASN, and the organization associated with it.
On the summary page, we can also see two Threat Intelligence articles associated containing the IP address, one discussing NiceVPS Bulletproof Hosting and one for TeamTNT targeting AWS and Alibaba.
If we review the first article, we will learn that it discusses NiceVPS, also known as Nice IT Services. Nice IT has been registering domains in their name and leasing them out, which is an attempt to obfuscate the domain owner. According to the article, two threat groups use NiceVPS - Cosmic Lynx and TeamTNT. I can also look at the indicators associated with this threat article and see a domain that appears to be associated with TeamTNT.
The article also describes cryptojacking activities of TeamTNT, which include several NiceVPS IP Addresses and various malware domains. We can also see that our IP Address of interest is listed as one of the IP addresses used by TeamTNT.
If we search the MDTI Indicators, we will see that one of the domains listed is teantnt[.]red and the IP address of interest. Pivoting on the domain name teamtnt[.]red, we will be directed to the summary page. We will see that the teamtnt[.]red also has a reputation score of malicious.
In the resolutions tab within the data plane for teamtnt[.]red, we can see that we have discovered 15 IP addresses resolved at one point to the teamtnt[.]red domain. We can verify that the IP Address of interest is within the list of Resolutions. We can also see that teamtnt[.]red is now resolving to 172.105.27[.]61.
During our investigation, we might look at the Components of a domain. In DTI, Components describe a web page or server infrastructure gathered during a crawl or scan of that IP Address. When viewing the Components for teamtnt[.]red, I noticed something interesting: the site has a tracking pixel from iplogger[.]org. Based on prior research, I know that IPLogger is a site used by adversaries to create address and location tracking and methods to obfuscate URLs by shortening the URL.
Using this information, we can look at the trackers for teamtnt[.]red. Trackers are unique codes or values found on the web page that track user interaction. Here we can see that four unique trackers have been discovered.
While still focusing on TeamTNT, we will now switch to the Host Pairs tab. Host Pairs are two hosts (a parent and a child) that have shared or are currently sharing a connection observed from a Microsoft crawl. When viewing these host pair relationships, users should interpret the data whereby a parent host leads to the child host. Here, we can see that teamtnt[.]red domain is the parent of the pair, and iplogger[.]org is the child.
Now we can pivot on iplogger[.]org. On the summary page for iplogger[.]org, we will notice that that domain also had a reputation score of malicious.
Additionally, there are three Threat Intelligence Articles for you to review. The third article references TeamTNT.
During our research of the third article, we discovered that additional TeamTNT indicators were listed in the "Taking TeamTNT's Docker Images Offline" but were not contained in the "NiceVPS Bulletproof Hosting" article (which we should expect because the Bulletproof Hosting article was intended to talk mainly about the hosting provider rather than the TeamTNT actor group). Again, we are developing a complete view of a potential adversary.
If we look at the Lacework blog that was linked in the "Taking TeamTNT's Docker Images Offline" article, we will see the reference to iplogger[.]org being used by TeamTNT to track end-users.
Analysts now have a better picture of a potential adversary targeting the organization. We have several new data points and information that were developed from the threat intelligence articles to use to hunt the network. Additionally, the indicators we have developed can be used to tune the organization's layered defense to either alert or block IP addresses and domain. We can also start searching the logs and other historical records for any previously undiscovered activity related to the adversary.
So we can see how Microsoft Defender Threat Intelligence unifies these different data sets into a single platform, which allows an analyst to have actionable threat intelligence with reputation scores and data sets that you can pivot and discover additional adversary infrastructure. Using MDTI, your analysts are now equipped to effectively hunt the network, detect that previously unknown adversary, contain their activity, and then eradicate their activity from the organization's network.
Thank you for your time. If you have any questions, please contact our team at mdti-cxe@microsoft.com or contact me directly at dennismercer@microsoft.com