11/4/2022 0 Comments Coinkeeper definition![]() ![]() All the updates in our own bases have been kept together with the entire history of changes.Īll existing solutions allow for the creation of graphs in manual mode only. #COINKEEPER DEFINITION REGISTRATION#In order to collect as many historical records on domains as possible, we have purchased various databases, parsed data from open sources, and reached agreements with domain name registration services. This means that it is possible to obtain the records for a specific element (a domain or an IP address) but not to see the whole range of data. Clarification: Each provider normally has a broad database, but we were unable to obtain access to all the historical records due to obvious causes. Lack of access to the entire database of historical records. Our own scanning servers also sometimes get blacklisted, but our results in detecting the necessary servers are better compared to companies that simply scan as many servers as possible and then sell access to that data. To collect data on the open ports and running services, a separate distributed scanning system has been created given that other services frequently blacklisted IP addresses belonging to scanning servers. For example, if a certificate has a domain “” and a subdomain “both of which resolve to IP address 1.1.1.1, they might receive three different results while trying to obtain an SSL certificate from port 443 for the IP address, the domain, and its subdomain. The certificates were collected not only from IP addresses but also all the domains and subdomains from our base. For example, to collect data about SSL certificates, we created our own service that gathers information from trusted CAs by screening the entire IPv4 address space. We gathered all the mentioned data sets ourselves. Meanwhile, others provide data on self-signed certificates that are collected from standard ports only. However, even numerous subscriptions do not guarantee that all the data needed has been obtained: some passive SSL providers provide data only on certificates issued only by CA associates, while their coverage of self-signed certificates is extremely poor. Explanation: Normally, providers offer only specific types of data and, in order to obtain a general picture, it is necessary to purchase subscriptions from various providers. Lack of provider with various sets of data: domains, passive DNS, passive SSL, DNS records, open ports, applications running on the ports, files that communicate with domain names and IP addresses. For example, the data for a five-year period could help solve one or two crimes out of ten, while data for a period of 15 years could help solve all ten crimes. In short, the more historical data a company has, the more effective its graph will be. That is why graphs with in-depth retro-analysis are crucial in such investigations. As a matter of fact, hackers pay less attention to their personal security and make more mistakes when they first embark on their criminal path, which means that the success of our investigation depends on how far the traces we find date back to. Nevertheless, our chances of identifying the hackers remain high. ![]() If only illegal projects are detected, however, it takes much more time and effort to identify the cybercriminals because they always attempt to anonymise or hide registration data. If a cybercriminal's previous legal project is detected, identifying him or her becomes simple. In illegal projects, a threat actor aims to hide their identity, but all the hackers are ordinary people and some of them might also have some legal projects online - forums or ecommerce websites. The main goal of network graph analysis is to track down projects that cybercriminals carried out in the past - legal and illegal projects that bear similarities, links in their infrastructure, and connections to the infrastructure involved in the incident being investigated. Like everyone else, however, they make mistakes. Most attackers do their best to remain anonymous online. information about domains, IP addresses, and server fingerprints. In our early years, this analysis was a painstaking ordeal to establish links that might help identify criminals, i.e. With time, all cybercrime investigations came to be carried out at the same time as analysis of attacker network infrastructure. Since Group-IB was established in 2003, the company's top priorities have been identifying and de-anonymising criminals and bringing them to justice. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |