Early Warning

Cybercrime activities are often implemented and supported using botnets, that is networks composed of thousands of jeopardized machines geographically distributed and characterized by a high variability in terms of behavior and resistance to the countermeasures adopted to block their use. These botnets are controlled by criminal organizations that have adopted a shared usage model, “Crimeware as a Service” , with high customizing levels associated to service SLAs. It is therefore necessary to collect and process as many information as possible in order to be able to face this business model based on complex and changing scenarios. The Early Warning service provided by Communication Valley SOC has been studied to collect, map and analyze intelligence data concerning scenarios, technologies and methods used in Cybercrime. The information obtained are made available for monitoring and antifraud services to direct and support prevention and management activities concerning customers’ incidents. The same information enrich the knowledge base which is the most important element for an effective and proactive fight to continuously evolving threats. The latest generation botnets are composed of many jeopardized machines –tens or hundreds of thousand- with a wide geographical distribution. These very dynamic scenarios can be studied only through a constant monitoring of the domains they belong to. The information obtained in this way can lead to a decisive competitive advantage for example in the field of Security Monitoring and Fraud Management services.

The activities carried out by analysts for the Early Warning service include:

  • Rationalization and mapping of intelligence data;
  • Evolutive trend analysis in the different security scenarios;
  • Identification and analysis of emerging threats;
  • Identification and tracing of botnets and fast-flux networks (size, geographic localization, behavior and evolution pattern and so on);
  • Collection and analysis of malware;
  • Reverse-engineering for malicious code disassembling;
  • Automatic supply of SIEM tools (watchlists, alerts and so on).

Those activities allow for the identification of suspicious and/or “exploit 0-day” domains and/or IP addresses”.
Data collection is carried out using different sources and tools, such as:

  • Blacklist. Sets of domains and/or IP addresses known as sources of malicious or suspicious activity such as malware distribution, support to spam and phishing campaigns and so on.
  • Spamtraps. E-mail boxes used only to collect spam. The received messages are analyzed to determine the domains “advertized” in the e-mails. This activity has proved to be the most effective one to collect domains linked to phishing and malware spread.
  • Honeynet. It is composed of a set of virtual nodes (Honeypots) which advertize fake services and can collect both statistic data on network traffic and malicious agents (domains, IPs) and malware samples to be analyzed.
  • Intelligence data collection from non-structured sources (ex.: RSS feeds, sites, fora, IRC channels, e-mails and so on) for the identification of emerging trends and new threats.
  • Sandboxes. They are used to automate the collection of malicious codes and the successive analysis with the aim of precisely defining the malware behavior.

Why us?

Cybercrime activities are often implemented and supported using botnets, that is networks composed of thousands of jeopardized machines geographically distributed and characterized by a high variability in terms of behavior and resistance to the countermeasures adopted to block their use. These botnets are controlled by criminal organizations that have adopted a shared usage model, “Crimeware as a Service” , with high customizing levels associated to service SLAs. It is therefore necessary to collect and process as many information as possible in order to be able to face this business model based on complex and changing scenarios.