Attacker Infrastructure: How Hackers Build It and How to Use It Against Them

  • Hackers often spend weeks or months lurking on a target network to prepare for an eventual cyberattack. They will attempt to establish communication with an external “command-and-control structure” — all from inside the target’s environment.
  • This scenario provides a prime opportunity to watch (and learn) from hackers, in order to stop them in their tracks.
  • HYAS cybersecurity solutions empower organizations to proactively protect their environment instead of merely reacting to attacks.

 

What can we learn about threat attacker infrastructure in today’s multifaceted threat landscape? What are the best ways to protect our valuable networks, servers and devices?

Lying In Wait

Hackers can continue to steal data month over month, not only taking the time to find the right data to steal, but finding the most valuable data that may change or update that they can continue to steal each day/week/month - as what might be found in a Telco environment.

However, all this stealthy snooping around requires communication back and forth between an attacker’s “command-and-control” (C2) structure outside of the target network. That’s essentially the hackers’ mechanism for exploring the target environment, advancing the attack, stealing data and potentially encrypting it to hold the target for ransom. It’s the infrastructure of cybercrime; the infrastructure they use on the internet to deliver instructions.

Hackers will (virtually) pick a target, case the joint and lay some groundwork before pulling off the proverbial heist. This is adversary infrastructure, and if detected, will give security teams a fundamental advantage to not only identify it, but obliterate it.

Assume the Breach

At HYAS, we know that even the best defenses can’t keep everything out of a network. You can be 99% secure and then have that 1% be what takes the company down. We assume an environment either is or will soon be breached.

We founded HYAS with a mission to tackle cyber threats differently — to use our expertise in adversary infrastructure to discover threats before they become attacks. Regardless of how an attacker gets into an organization, if you can quickly identify the telltale signs of communication with threat actor infrastructure, then you can shut down the communication before the attack does any damage.

HYAS is the leading expert in adversary infrastructure. That’s how we help our clients proactively identify and prevent attacks before they even begin.

So how do we do it?

Rich Data — and Lots of It

HYAS maintains legal, GDPR-compliant contracts that allow us to automatically gather and pull data into our massive graph database. This is what sets us apart and powers our cyber security solutions. Our data is truly unique for two reasons.

1. We have data that others don’t

We have a lot of data. But more importantly, we have context for that data. We gather trillions of data points to identify, correlate, and attribute adversary infrastructure. Part of the “special sauce” is what beespoke data sources HYAS gathers data from. We make the connections and provide dynamic updates 

What do we do with all that data? HYAS builds the correlations and combinations across the data — so we know, for instance, that a phishing email is related to four particular domains, which are related to 12 IPs and six phone numbers … and on and on.

Anyone implementing a legacy allow-and-deny-list practice can detonate a piece of malware, understand that xyz[.]com is a nefarious domain and update their single data point. But when HYAS learns a new piece of information or detonates a piece of malware, we do more than just update that deny list. We can update everything in that causation chain.

That’s what allows us to stay ahead of malware and changing command-and-control structures. Even if threat actors created a domain five minutes ago, it might not be used in an attack until six months from now; nevertheless, HYAS knows that it will likely be used for nefarious purposes because of where it fits into the graph database.

When a malicious domain does get used, we know it’s for criminal purposes, and you don’t want anything to do with it. And so on top of this incredibly rich data lake, we’ve built a number of API-forward SaaS solutions to solve a variety of interesting problems.

HYAS Insight

Threat researchers, fraud researchers and threat investigators around the world can take the indicators of compromise (IOCs) they find, plug them into our data lake, and understand everything they need to know about an attack and the overall campaign architecture. These inquiries can be made through our user interface, through our APIs or through third-party products.

Most of the use cases across our customer base have one of two objectives:

1. Law and order

Many clients want to understand the origin of an attack so they can either adjust their own defenses or research, or involve law enforcement. Several HYAS clients have done that very successfully — including a Canadian credit union that used high-confidence threat intelligence from HYAS Insight to request the takedown of a malicious domain for brand infringement before an attack took place.

2. Proactive (but private) protection

Other clients don’t want to involve law enforcement. They simply want to proactively protect themselves. Clients can use HYAS Insight to study bad actors and the assets they haven’t used yet, regardless of whether the hackers plan to use them tomorrow or six months from now. HYAS Insight empowers companies to go deeper than they ever thought possible, watching (and understanding) their enemies just as much as the enemies watch and investigate them.

That’s why three of the Fortune 5 and many of the largest Fortune 100s in the world trust HYAS Insight, from credit card processors to social networks to prestigious financial services and high-tech companies.

HYAS Protect and HYAS Confront

HYAS Insight is an ideal tool for experienced security teams, but some clients don’t have the in-house expertise they need to follow cybercriminals down the metaphorical rabbit hole.

So we created sister products that are a bit more proactive — and don’t require experts to administer. They’re the ideal “set it and forget it” solutions for all types and sizes of organization..

Our CEO likes to share this analogy: “I’m old enough to remember when people used to do call screening. The phone would ring, but you wouldn’t answer it — you’d listen to the answering machine to decide if you wanted to answer that phone call or not. Nobody does that anymore. Today, the phone rings and you look at the caller ID — you look at that endpoint, and you decide if you want to have a conversation with that endpoint or not.”

That’s exactly what HYAS Protect and HYAS Confront can do for your corporate and production networks. Whenever your laptop, phone, database, server — even your connected coffee pot — reaches out to have a conversation with a remote domain, HYAS Protect and HYAS Confront can tell you whether that conversation should be happening or not.

HYAS Protect is for the corporate environment. You can deploy HYAS Protect as a cloud-based protective DNS security solution or through API integration with existing cybersecurity services.

HYAS Confront is for the production environment. The solution tracks all your DNS transactions to establish a baseline of normal traffic. Then, continuous monitoring spots uncharacteristic activity immediately so you can respond appropriately.

Both products work in two key ways:

  • By tapping an immense depth and breadth of knowledge of adversary infrastructure as well as knowledge about each endpoint.
  • With data from our watch engine, which observes communication patterns to and from each endpoint.

Advanced Intelligence, Meet Clarity and Control

Our mission is to give you the visibility and the control you need in order to protect your network. With that protection, you’ll have the confidence needed to move your business forward, regardless of your employees’ locations or the setup of your production network. We map adversary tactics, techniques and procedures to cybercriminals’ attack infrastructure — so security actions can be proactive, not merely reactive.

HYAS Insight, HYAS Confront and HYAS Protect are all API-forward solutions that integrate readily into your security stack, so you can make the most of your existing tools and won’t have to rip and replace anything you’ve already purchased. HYAS solutions can integrate into your SIEM, SOAR, TIP and even proprietary systems, all the way down to each of your endpoints.

HYAS gives you the ability to find that needle in the haystack of needles. You can detect threats and uniquely stop them in their tracks. But in some cases, suspicious activity isn’t actually nefarious. It may be simply an anomaly — or perhaps risky behavior that isn’t directly nefarious. You willbe able to identify hygiene issues that aren’t necessarily indicators of nefarious activity today but can expose you and your organization to untold risks tomorrow.

There’s a lot of data out there, and plenty of places to attack. Cybercriminals move fast — even if they lay low for months.

We’ll watch your back, so you can make your mark.

Are you ready to protect yourself in a more dangerous cyber landscape? Move your business forward with HYAS today.

Back to Blog