Go to DBLP homepageUnraveling Threat Intelligence Through the Lens of Malicious URL Campaigns
Abstract: The daily deluge of alerts is a sombre reality for Security Operations Centre (SOC) personnel worldwide. Those on the front-lines of cybersecurity face the unenviable task of prioritising threats amongst a flood of URLs found within malicious communications. Timely detection of pertinent patterns within such URLs allows teams to deescalate threats. This has been traditionally filled with machine-learning log analysis and anomaly detection methods. Instead, we propose to analyse suspicious URLs from the perspective of malicious URL campaigns. By first grouping URLs within 311M records gathered from VirusTotal into 2.6M suspicious clusters, we thereafter discovered 77.8K malicious campaigns. From those, we found 9.9M unique URLs attributable to 18.3K multi-URL campaigns that had at least 1 URL flagged by a vendor within VirusTotal. Worryingly, our analysis shows that only 2.97% of such campaigns were detected by security vendors. We also confer insights on evasive tactics such as ever lengthier URLs and more diverse domain names, as well as case studies that expose other adversarial techniques. By characterising the campaigns driving these URL alerts, we hope to expose current threat trends, and arm the community with greater threat intelligence.
Loading