Under the hood.
Group-IB Threat Intelligence & Attribution. Part 1

Dive into Breached DB section
Dmitry Volkov
CTO & Co-Founder, Group-IB
According to industry researchers, the threat intelligence market is expected to reach USD 20 billion in revenue per annum by 2028, with more organizations of different sizes understanding the value of tactical, operational, and strategic data about threats to their digital and physical assets.

By 2021, cyber threat intelligence (CTI) has evolved significantly from what it used to be in the 2000s. Different vendors, research agencies, regulators have various and sometimes contrasting interpretations and definitions of CTI. Hence, at the end of the day, businesses should consider their own individual needs and balance them against the vendor proposition. Ultimately, it's always best to conduct a POC or test the products rather than making investment decisions based purely on the marketing reports.

This blog post opens a series in which Group-IB team members will explain how to maximize the value of threat intelligence and attribution. We will showcase how to take advantage of different proprietary features of Group-IB's Threat Intelligence & Attribution solution to provide better protection to customer assets and help them make more informed and balanced risk mitigation decisions.

In this entry we showcase:

  • How wide is the market for breached databases;
  • How attackers use this compromised data to harm businesses and extract financial gain;
  • Which technologies are needed to detect and monitor breached credentials;
  • How to solve a number of threatening use cases with the "Breached DB" section of Group-IB Threat Intelligence & Attribution.
Use cases: Breached databases
Since launching Group-IB's Threat Intelligence & Attribution solution the number one priority has been to tailor what we do and the data we provide as much as possible for the customer. Users can adjust a customizable matrix to track threats relevant not only to their company, but also to their partners, and customers.
Unlike other threat intelligence vendors Group-IB has a strong focus on monitoring and detecting user credentials that have been compromised due to malware activity, phishing attacks, and data breaches with zero false positives.

We use our proprietary patented technology Bot-trek(™) to monitor for compromised credentials and bank cards by analyzing network protocols used by malware to communicate with its C&C server.

In addition, Group-IB uses Sinkholing to redirect malicious traffic to Group-IB's sensors to identify the victims. We monitor phishing resources and collect the configuration files of these websites to identify the methods used by cybercriminals to store logs with stolen data and then locate it in order to detect all compromised users.

One of the obvious strengths of Group-IB is the unique primary data coming from Group-IB's service arm, in particular cyber investigations and incident response engagements. In the Dark Web, our technology tracks published databases of legitimate resources to detect client-relevant data breaches.

In this blog post, we will focus on breached databases that we detect more and more often on the Dark Web, why it becomes more important and how our threat intelligence on breached databases can be used to protect and prevent cyber attacks.
What threat actors do with breached data
There are many Dark Web resources that threat actors use to share compromised or leaked data. One of the most popular platforms for sharing and trading compromised data is called RaidForums. Obviously, it has become one of the major sources for the CTI community.

The RaidForums community both shares data for free and trades it. There is also a big collection of breached compilations that combine many different leaks that are shared across different hacker forums to simplify the daily operations of cybercriminals. Such compilations usually consist of billions of user records.

Cybercriminals use breached data to carry out different activities:

  • Password Spraying When the attackers circumvent common countermeasures (e.g., account lockout) by "spraying" the same password across many accounts before trying another password;
  • Credential Stuffing When the attackers use an automated injection of compromised credentials from breached databases in order to hijack user accounts;
  • Follow up social engineering When the attackers interact with the victim using sensitive information about the user that they obtained from the Dark Web.
Interestingly, the demand for breached databases has increased due to the growth of ransomware attacks. According to the Ransomware Uncovered 2020-2021 report, in 52% of all attacks, analyzed by the Group-IB DFIR team, publicly accessible RDP servers were used to gain initial access to corporate networks. One of the most popular methods of compromising RDP is to use credentials from the breached databases. Businesses can force their users to change their passwords, but at some point they will reuse old passwords again.
Using our Threat Intelligence & Attribution system we see more than 1,100 breached databases publicly available for download and more than 34 billion unique user records. This number continues to grow every day.
Underground listing offering a huge breach compilation with 3.2 billion user records
A compilation from different databases with the details of 236 million US citizens for sale
People Data Labs Database offered for free
When Group-IB Threat Intelligence & Attribution detects new breached databases, the system checks if there are any records relevant to our customers: their domains or tailored hunting rules. This allows us to inform any of our clients, whose data is affected, and provide real-time notifications.

As the same records can be found in different breaches, we group them by email addresses to understand where else we might have seen this compromised account, with what additional details it had leaked (because every breach has its own set of available fields), when it was published and by whom.

As shown on the screenshot below, the same compromised email was observed in 5 different breached databases published between November 2016 and April 2021 by different threat actors. Every breach contained different details about the user: DOB, home square footage, address, password, and etc.
Context and attribution for Group-IB are the key components for understanding an attack. Every breach detected by our system is accompanied by a brief report and is linked to the author of the listing on an underground forum/marketplace. If the Threat Intelligence & Attribution user clicks on the threat actor's nickname, the solution will demonstrate their full profile in the Dark Web section: forums where the threat actor is registered, history of posts, text of those posts, the contact details, the specific threads that the threat actor started and participated in and more.

Thanks to the global nature, cybercrime attacks can come from any country from perpetrators using any language, to overcome this Group-IB automatically translates threat actors' messages from more than 100 languages into a readable form for the user.
In addition to real-time underground forums monitoring, Group-IB's Threat Intelligence & Attribution system holds historical records from underground forums since 2003, making it one of the oldest and extensive Dark Web databases in the industry.

This feature allowed us to investigate the activities of the infamous seller of access to corporate networks Fxmsp. Our researchers were able to retrieve and analyze hundreds of Fxmsp's posts, including the ones he had deleted and edited, which allowed us to look into the history of his crimes, the evolution of his character, and establish the exact methods he used to compromise corporate networks.
The value of the Breached DB section of Group-IB Threat Intelligence & Attribution
With regards to breached user data, there 4 main use cases of Group-IB Threat Intelligence & Attribution system for customers:

1. Protection of corporate users or their customers
This is the default use case that we mentioned in the beginning. Using the information about the client's corporate domains we can check if there are any breached accounts in these domains and notify the client directly or through integration via an API.

Then clients' administrators can reset passwords, block some users and notify them about the breach to avoid other attacks on the user outside of the corporate domain. Protection of the corporate domain is important because if the attacker compromises, for example, a personal email of your corporate user, it then can be used in a social engineering attack against other employees of your organization.

2. Protection of top management's personal accounts
Companies can create hunting rules in the Threat Intelligence & Attribution settings to specify a list of personal emails that will be monitored. For example, it can be the personal accounts of the company's executives. In this case, we will notify you about these compromised accounts and you can protect the digital life of your senior management. To preserve the user's privacy the Group-IB hides sensitive details like passwords to make sure that no one can misuse them.

3. Investigation of cybercrime
Cybercriminals are no different from other internet users as they too are susceptible to breaches of legitimate resources that they use. Using search options in the "Breached DB" section of the Threat Intelligence & Attribution solution security analysts can check if the contact details of the threat actor are in the breach. Such contact details can be obtained from malicious domain registration details, messages on hacking forums or illicit marketplaces, ransom notes, etc. The presence of such data in the breach can indicate that the threat actor uses someone's compromised accounts to hide their identity. If this is their real account and data in the breach can give you more knowledge about his identity.

4. Service to check if the password is breached
To protect different login forms it might be useful to check if the password was used by someone in the breaches. Such checks can help to prevent Password Spraying, Credential Stuffing, or simple Brute Force attacks.
Try Group-IB Threat Intelligence & Attribution now