IP Investigation
K&U logo- white green

IP Investigation

Audience: Information Security Security Teams: CTI, SOC, DFIR, Fraud

Challenge

Reviewing and investigating suspicious IPs, Domains, URLs, and hashes is just part of the daily routine for many information security professionals. The challenge often times to not only to understand the threat or risk posed by these suspicious indicators, but rather to convey that threat or risk and identify additional details that may be correlated. Today, a SOC analyst observes attack traffic from an IP and requests additional support from the Threat Intel team to understand more about the IP.

Avalon Collaboration

  • The CTI Analyst adds the IP node to their workspace in Avalon. Upon entering the IP in the workspace, Avalon automatically adds basic enrichment on the IP address and has identified hundreds of relationships linked to the IP in question.
  • The analyst then adds this data to the workspace and begins to investigate it. Upon reviewing the enrichments from the Avalon dataset, the analyst determines that the IP in question is linked to Carbanak/FIN7 threat actor group.
  • Additionally, Avalon enrichments have added over 400 indicators of compromise (IOCs), including malicious hashes and IPs. The analyst selects all the IPs and hashes, exports them to an ingestible format, and provides them to the SOC analyst. The SOC analyst can then not only block the IP in question, but can block the newly-identified IOCs linked to Carbanak/FIN7.

Outcome

Real-time collaboration enabled a broad investigation into a critical security topic, generating a report for the SOC team and a list of actionable indicators that could be used in defensive systems.

  • The analyst investigated the original IP in Avalon and identified a link to activity of a significant threat actor, FIN7 group.
  • The original IP in question was used to identify related IOCs linked to malicious activity and provided for additional context to convey the severity of the threat posed by the originating IP attack traffic.

About Us

King & Union is a cybersecurity company that has built and designed Avalon, the industry’s first cyber analysis platform. The Avalon Cyber Analysis Platform helps analysts streamline threat investigations by providing the intelligence, tools and collaboration security analysts need in a seamless, integrated workspace.