Analysis of Exploit-kit Incidents and Campaigns Through a Graph Database Framework
Name
Guillaume Brodar
Abstract
In today’s threat landscape, the delivery of malware via browser exploit-kits poses specific challenges to the forensics analyst and from a defensive perspective in general. Web browsers offer a large surface of attack through their own implementation, the plugins they offer and the operating systems that they rely on.
However, when looking at network traffic captures, they also leave specific traces that the analyst can identify but those still wouldn’t be enough to clearly determine if an infection was successful or not. Isolating these traces currently requires a lot of manual work and a complete analysis will also have to rely on third-party information in order to give a clear picture and understanding of the incident.
A great deal of automation can be achieved here by using public APIs such as VirusTotal, whois databases, IP blacklists, etc during the analysis and a first part of our work is dedicated to that.
From our perspective, we also see that the use of graph databases can be of a great help when putting together information from different sources that hold relationships with one another and a second part of our work will be to demonstrate that a graph database approach can be used to analyze single incidents as well as the delivery infrastructure of specific exploit-kits or malware campaigns that are spread by specific actors.
We will then show that this approach reveals patterns and clusters from which decisions can be made from a defensive perspective.
However, when looking at network traffic captures, they also leave specific traces that the analyst can identify but those still wouldn’t be enough to clearly determine if an infection was successful or not. Isolating these traces currently requires a lot of manual work and a complete analysis will also have to rely on third-party information in order to give a clear picture and understanding of the incident.
A great deal of automation can be achieved here by using public APIs such as VirusTotal, whois databases, IP blacklists, etc during the analysis and a first part of our work is dedicated to that.
From our perspective, we also see that the use of graph databases can be of a great help when putting together information from different sources that hold relationships with one another and a second part of our work will be to demonstrate that a graph database approach can be used to analyze single incidents as well as the delivery infrastructure of specific exploit-kits or malware campaigns that are spread by specific actors.
We will then show that this approach reveals patterns and clusters from which decisions can be made from a defensive perspective.
Graduation Thesis language
English
Graduation Thesis type
Master - Cyber Security
Supervisor(s)
Toomas Lepik, Raimundas Matulevicius
Defence year
2017