Fingerprinting Malware C2s with Tags

Fingerprinting Malicious Infrastructure

The art of fingerprinting adversary infrastructure involves identifying the attributes of an IP address and using them to build up a profile specific to the way it is configured. This includes reviewing open ports, banners, x509 certificate(s), TLS handshakes, passive DNS (pDNS), and WHOIS data of the IP address. We then look for unique and common characteristics and either filter out or include them in our queries.

Tags

At Team Cymru, we have developed the ability to query for all the IP addresses that match certain attributes using Tags. These Tags will then appear in the NetFlow records and are searchable within our Pure Signal products, including Scout and Recon. They can be used to filter out or inspect certain network traffic.

For our researchers and our customers, the use of IP attributes and Tags supports the ability to quickly identify communications between malicious command-and-control (C2) IP addresses. Using Scout, we can view how many IP addresses are currently tagged for any type of Tag we track. This can then be used to create statistics over time to track the prevalence of such IPs, thus providing insights into trends and emerging threats.

To read the complete article see: Link to Full Article

---

Working at Team Cymru is more than a job — it’s a chance to be part of something meaningful. Enjoy outstanding benefits, work with incredible people, and contribute to a mission that truly matters.

Explore open roles and join us: Careers at Team Cymru