Earlier this month, the research team at Mandiant published a research report about a suspected Turla Team operation that was distributing the Kopiluwak reconnaissance tool and Quietcanary backdoor to Andromeda malware victims in Ukraine. As usual, Mandiant’s research was thorough and detailed. But today, we aren’t here to discuss the research or even the threat. Today we’re going to look at one IP address that was cited in the research as being associated with Kopiluwak. That IP 194[.]67[.]209[.]186, was predicted by our Augur platform as part of CIDR 194.67.208.0/20[4] all the way back in 2017 and reported in January this year.

Predicting CIDRs, Not Just Isolated IPs

Why does that matter? The answer to that is, as simple as it is crucial. Threat Actors don’t mind re-using old infrastructure because they don’t believe security organizations are tracking their infrastructure at the CIDR or ASN level; However, Augur’s predictions work differently than most other Threat Intelligence solutions.

By this point, most of you know that Augur predicts attack vectors by identifying threat actors' infrastructure using machine learning to examine changes in the IP space (IPv4 and IPv6), domain name registrations, DNS resolution, and BGP announcements. Augur makes its predictions at the CIDR level, and that means there are lots of individual IPs that can be used for malicious activities. The key observation we’ve made over time is that threat actors keep track of their infrastructure, and sometimes they take years to use a specific IP address. Most organizations and security solutions block IPs reactively and mostly after a confirmed incident or event; hence, threat actors feel safe to use old IPs, which are often part of CIDRs with other confirmed malicious IPs. This exposes organizations to potential risks in the days between the time an IP starts to be actively used by threat actors and the date it is reported by third-party researchers/vendors as an IOC and when your SOC team blocks it.

More Than 2% of Augur’s Confirmed IPs are 6-Year-Old Predictions

As part of a research project carried out last year, our Threat Research Team looked at some of our oldest predictions to see how long, after prediction, the IPs were confirmed malicious by third-party researchers/vendors and what we discovered even surprised us. The first full year of Augur predictions was 2017 (12 months). In that year, the platform successfully predicted over 400K IPs that were, over time, confirmed to be malicious. In 2022, and over 6 years after prediction, some 9,166 IPs were confirmed malicious, and that pattern holds true for every year we have analyzed.

                                              2017 Predicted IPs  
 Year First Reported  Confirmed Malicious  Average Days Predicted
2017  256,462  29 
2018  55,648  323 
2019  31,296  712 
2020  28,167  1,045 
2021  67,810  1,443 
2022  9,166  1,708 
Total Confirmed: 448,549   Avg Lead Time: 403 


CIDR-level Predictions Mean Better Protection Sooner

In case the implication isn’t obvious, that’s 9K+ threat vectors organizations could have been protected against ahead of any reported malicious activity. The other implication is that if Augur predictions look somewhat noisy at first, over time, they prove out to be very accurate with low false positives.

Prove It To Me

We get it. These predictions are startling, and you want to know if they are real. If you’re interested in seeing how Augur works and how Augur’s predictive intelligence can improve your novel threat protection and overall cybersecurity posture, email us at augur@seclytics.com.

Talk to an Expert
TAKE THE CHALLENGE
Talk to an Expert
Get a Demo