Group-IB unveiled its new system titled Threat Intelligence & Attribution at the CyberCrimeCon20 conference. According to the Skolkovo resident, the system is the first of its kind and is designed to map out and hunt threats on a company-specific basis.

Ilya Sachkov: Group-IB has zero tolerance to cybercrime. Screengrab:

During two sessions, Group-IB's co-founder and chief technical officer Dmitry Volkov presented on the current trends in cybercrime before doing a demo of the new Threat Intelligence & Attribution system. According to Mr. Volkov, ransomware affiliate programs increased by 50% from 2019-2020, changing the cybercrime markets as cybercriminals shift their attention away from individuals to big companies. Due to this increased popularity, the largest banking botnet operators have joined these affiliate programs and are deploying ransomware, including well known banking botnets such as Silent Night, Qbot, TrickBot, and RTM.

The largest single ransomware case this year broke the records with a demand of $10 million from a government company. In spite of this, public domain information shows that only 62 out of 2500 (2.5% approx.) network encryptions by TrickBot botnet owners were reported publicly. TrickBot botnet has been described as one of today’s top-3 most successful Malware-as-a-Service (MaaS) operations in the cybercrime underworld according to ZDNet; while the lack of publicly reported incidents inhibits the ability to know precisely the damage ransomware has done over the last year, Group-IB estimates that it is over $1 billion. One of the most high-profile ransomware cases in recent years is the WannaCry ransomware outbreak in 2017, which spread across the world affecting over 200,000 computers in 150 countries and causing around $4 billion in losses.

As of 2020, a new trend has been to sell access to compromised companies online; that is to say, sell access to compromised corporate networks. During his presentation, Mr. Volkov said that although the market size in 2018 was just $1.6 million, this has nearly quadrupled to $6.1 million as of 2020. Nearly a third of compromised companies are located in the United States, while the rest that are in the top-5 are located in Europe. In terms of category, the most targeted are governmental, educational, IT, manufacturing and healthcare companies. As the market size has increased, so too has the number of sellers of compromised networks, making this a very real threat to the integrity of companies’ networks across the world.

Threat Intelligence & Attribution

Where does Threat Intelligence & Attribution come in? In short, it is a tool that compiles a tailored threat map for each client, while actively hunting attackers. It shows threats that are specific to a company, its partners and clients, industry threats (threats to the industry specific to the client), and can tell if threat actors are of the cybercriminal or nation state categories.

To create such a threat landscape, high quality profiling on threat actors is necessary, according to Mr. Volkov. As mentioned, threat actors are divided into two categories: cybercriminals and nation states. Under these two are the lists of detected threat actors, and during the demo, Mr. Volkov selected a China-based group from the cybercriminal category. TI&A then displayed the list of attacks the group has been involved in, including the target countries, the target sectors, time stamps, the group’s main attack course, alternative names of the group, and so on.

Demo of Threat Intelligence & Attribution. Screengrab:

In this way, TI&A offers security teams the tools to connect “events” surrounding an attack, attribute threats, analyze malicious code and respond to an incident promptly, while the smart ecosystem is designed to automatically halt targeted attacks on a given organization.

“The majority of attacks on an organization should be able to be stopped automatically, but this is still not enough,” said Mr. Volkov during an interview with “With time, money and intelligence, cybercriminals will learn to overcome automated detection systems. We must be prepared to gain experience through hunting while using ‘sharpened tools.’ Simply blocking is not enough, because tomorrow you will be attacked again based on how you stopped the attack today. Hunting is a continuous process based on huge amounts of data such as system events and traffic meta-data, domains, hosts, and profiles of the attacking groups. To work with this, you need a ‘third hunter,’ one that hunts cyber threats and hackers. That is the future of cybersecurity.”

Co-founder and chief technical officer Dmitry Volkov. Photo: Group-IB.

The Group-IB engineering team was guided by several principles while creating the technology. Firstly, the system and detection algorithms should “know” cybercriminals, while cybersecurity specialists should get either a good technical justification or a full intelligence context of the threat – that is, who is attacking, what are the attackers’ motives, what tactics are being employed, what tools are being used and what could potentially be used in further attacks. The security system should efficiently detect and quickly block the threat, even though nowadays that isn’t enough. Detection is just the beginning when it comes to creating working cybersecurity strategies.

Secondly, the process of data enrichment of current security systems should be automated. For this, the analysis mechanism moves beyond simple threat detection. It is extremely important to fully extract and run malicious code in isolation; in doing this, you can collect an array of indicators that will help with hunting for further threats in the network.

Group-IB’s Threat Hunting Framework is a universal solution for IT and service networks whose main tasks are to detect unknown threats and full-on attacks earlier, find both internal and external threats, and also investigate and respond to cybersecurity incidents. The Threat Hunting Framework architecture includes several main functional modules.

One of these is Sensor, which is used to uncover threats on a network level using a deep analysis of network traffic; meanwhile Sensor Industrial, a separate module, can protect a service network from full-on attacks. It provides integrity control of the software and firmware automatic process control system by analyzing industrial protocols and comprehensive network protection using machine learning, thus detecting threats that have customized protocols and classifiers.

Another Group-IB innovation is a platform called Polygon, which is designed to “detonate” malicious code. It detects threats by doing behavioral analyses on emails, files and link content; it isolates the malicious code, which causes it to “detonate,” allowing you to get indicators of attack (IoA) and to perform an attribution of the detected threat.

Dmitry Volkov: "This is a new solution on the cybersecurity market, which for now is unique." Screengrab:

Group-IB also presented an innovative protection for user work stations called Huntpoint. This module creates a full chronology of events on an employee’s computer, uncovering anomalous events, blocking malicious files, immediately isolating the attacked host, and collecting important criminal data for further investigation.

Meanwhile, Huntbox is responsible for the fully automated analysis and correlation of events in a given network. The module provides a full map of events inside and outside a company network, helping to hunt for threats and uncover the activities of attacking groups that are targeting the company.

Threat Intelligence & Attribution has taken Group-IB to new levels, as it operates on a high-load capacity of data on hacker groups, their tools and their infrastructure. The appearance of TI&A on the market signals the advent of a new class of solution designed to collect data on threats and attacks that are relevant to specific organizations, investigate and hunt hackers, and protect network infrastructure.

Combining unique data sources, experience in investigating high-tech crimes and responding to complex multi-stage attacks across the world, TI&A acts as a pipeline of information for other Group-IB products that are actively hunting attackers and threats. The system secures data on hackers and their connections, domains, IP, infrastructure for 15 years, including those that criminals attempted to delete. Its broad functionality means that it can be adjusted to the threat landscape not just for a particular industry, but for a specific company in a specific country.

The TI&A “system ideology” focuses on not just identifying the threat but on finding out who is behind it. The masses of data that it operates allow it to quickly link an attack to a specific group or individual. It is able to analyze and attribute threats that a company has already faced, detect leaks and compromised users, identify insiders that are trading company data on underground web sources, and uncover and block attacks targeting the company and its clients, regardless of the sector.

TI&A’s entrance onto the market will offer access to Group-IB’s internal tools, which until now were used exclusively by the company’s response, hunting and cyber intelligence teams. Now, every specialist using TI&A can search through the largest collection of data on the dark web – an advanced profiling model of hacker groups and a fully automated graph analysis that can correlate data and attribute threats to a specific criminal group or individual in a matter of seconds.

TI&A detects attacks that traditional security methods do not protect against, offers a deeper understanding of the methods of high-level attackers, and assesses whether or not the protected infrastructure can resist them. This approach motivates and improves the efficacy of internal cybersecurity teams, while enhancing their expertise by providing a deep understanding of the threat landscape.