Some embodiments described herein relate generally to methods and apparatus for analysis of computer network data related to data security. More particularly, the embodiments described herein relate to methods and apparatus for identifying and characterizing a role of infrastructure involved in malicious activity (such as a malicious software campaign).
When conducting malicious software campaigns, adversaries will often use dynamic infrastructure (e.g., domains, Internet Protocol (IP) Addresses, Uniform Resource Locators (URLs), email services, messaging services, chat services, social media, general web services and/or protocols) to improve the survivability and mobility of custom malware. Specifically, dynamic domain infrastructure used by an adversary can be used for a variety of purposes and roles that can vary over time. Dynamic infrastructure can allow adversaries to quickly shift their remote command and control to new hosts. This also allows adversaries to disrupt investigations and traceability of their operation.
Accordingly, to aid in tracking and identifying network exploitation operators, a need exists for systems and methods for identifying and classifying infrastructure used by adversaries in a malicious software campaign.