Infra-Tagging: A New Tool in Cyber Threat Intelligence

Graffiti tags on a white brick wall

Working with Intelligence Analysts as well as SOC teams over many years has led to an identification of pain points that just seemed solvable with a little thought. A couple of these pain points can be helped enormously by “Infra-Tagging”. This is a new term so just go with it for now while I explain.

The problem

There are many different ways to asses the relationship between domains. Each way involves numerous look-ups and then saving the results to compare them.

This is where Infra Tagging steps in. Using Silent Push, just do one API call for each domain to generate an Infra-tag. The tag will be of the form {} where MX= the domain portion of the first mail exchange record in DNS, NS= the domain portion of the top last seen Name Server, AS= the AS name of the assigned IP address of the A record, Reg- the registrar mentioned in Whois if available. If any field is unavailable it is replaced with a _.

This results in something like the below.

Example 1

  • API[.]com

  • Result

“tag”: “”

Example 2

Now try this for a particular bunch of domains from a related campaign. The domains below are related to IcedID infrastructure.

  • “domain”: “dimetriadit[.]top”, “tag”: “
  • “domain”: “glooverdoover[.]top”, “tag”: “
  • “domain”: “sillkolo[.]space”, “tag”: “
  • “domain”: “woodabeg[.]fun”, “tag”: “

Having this tag alongside each domain in your security tools is very useful as any analyst has a chance of being able to spot trends with a glance.

However, there are even greater advantages such as being able to search for tags in data. This can be done in a couple of places:

  1. Search for similar tags in threat feeds and see which items may be related.
  2. Search in Passive/Active DNS to see what else is out there with the same Infra-Tag and similar