Full Report
IP addresses and domains aren’t just for blocklists; when analyzed with the right tools, they can be operationalized to enrich alerts, support threat hunting, and uncover risk.
Analysis Summary
# Tool/Technique: IP Addresses and Domains in Threat Intelligence
## Overview
In Cyber Threat Intelligence (CTI), IP addresses and domain names serve as commonly shared Indicators of Compromise (IOCs). While often relegated to simple blocklists, their operationalization—through analysis and enrichment—provides significant value for enriching security alerts, supporting threat hunting efforts, and uncovering deeper risk profiles.
## Technical Details
- Type: Technique (Indicator Analysis/Operationalization)
- Platform: Network Infrastructure, Security Tools (SIEM/SOAR/Firewalls)
- Capabilities: Alert enrichment, threat context provision, detection logic expansion, indicator-based threat hunting.
- First Seen: Concept popularized by the Pyramid of Pain model (Original 2013).
## MITRE ATT&CK Mapping
This discussion focuses heavily on the **Indicators of Compromise (IOC)** aspect of threat intelligence operations, which maps broadly across the tactics of **Detection** and **Resource Development**.
- **TA0007 - Discovery** (Indirectly, when using IPs/Domains to find C2 infrastructure)
- **T1595 - Active Scanning** (If IPs/Domains are actively scanned)
- T1595.001 - Internet Scan
- **TA0011 - Command and Control**
- **T1071 - Application Layer Protocol** (IPs/Domains associated with C2 traffic)
- T1071.001 - Web Protocols
- **TA0008 - Collection** (When enriching IOCs to identify specific malware families)
- **T1560 - Archive Collected Data** (Related to identifying artifacts tied to these network IOCs, e.g., Mystic Stealer C2)
## Functionality
### Core Capabilities
- **Alert Enrichment:** Using IP geolocation, reputation data, and provider information to add context to triggered security alerts.
- **Indicator-Based Hunting:** Searching historical network logs for the presence of known malicious IPs and domains to find previously undetected intrusions.
- **Context Provision:** Providing analysts with immediate background on network indicators encountered during investigations.
### Advanced Features
- **Threat Context Correlation:** Tying IPs and domains to specific malware families (e.g., tracking Mystic Stealer control panels using network and content markers).
- **Automation Integration:** Leveraging SIEM/SOAR solutions to automatically perform lookups against services like Pulsedive to enrich alerts instantly.
## Indicators of Compromise
The article discusses **IP Addresses** and **Domain Names** as the primary IOCs being analyzed.
- File Hashes: N/A (Focus is on network identifiers)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Generic discussion of IPs and Domains; specific examples not provided in the summary extracted text (though Mystic Stealer C2s are mentioned as being identified).
- Behavioral Indicators: Identification of reputation clues (e.g., known scanning activity, belonging to a VPN provider).
## Associated Threat Actors
The article mentions identifying infrastructure associated with **Mystic Stealer**. It also references external related content mentioning North Korean threat actors utilizing **Astrill VPN**.
## Detection Methods
Detection is implied through:
- **Blocklisting:** Adding known malicious IPs/Domains to firewalls and network devices (lower-tier detection in the Pyramid of Pain).
- **Historical Log Analysis:** Searching security tools for the presence of shared IOCs.
- **Automated Lookups:** Configuring SIEM/SOAR to query threat intelligence platforms (like Pulsedive) for reputation data upon alert generation.
## Mitigation Strategies
- **Active Blocklist Maintenance:** Regularly purging retired or inactive IP addresses and domains from blocklists.
- **Contextual Monitoring:** Not relying solely on blocking; using IOCs to enrich alerts and drive more sophisticated detection logic.
- **Reputation Awareness:** Factoring in reputation data (e.g., identifying if an IP belongs to a known anonymous service like a VPN) during triage.
## Related Tools/Techniques
The article references specific tools and concepts used for indicator analysis and CTI operations:
- **Pulsedive:** Used for manual and automated IP/Domain enrichment and threat research (e.g., identifying Mystic Stealer panels).
- **SIEM/SOAR Solutions:** Used to integrate and automate IP/Domain data retrieval.
- **The Pyramid of Pain:** Used as a conceptual framework to evaluate the relative value of replacing different types of IOCs.
- **ASN Analysis:** Implicitly related, as looking up IP provider details often involves Autonomous System Numbers (ASNs).
- **GreyNoise Visualizer:** Mentioned as a tool for analyzing widespread scanning activity.