"We then compared the 1,521 IP addresses against the 258,288 IP addresses currently occurring on the blacklists, and found that only 117 of them were on those list, whereas the rest were unknown and not included on the blacklists," explains Recorded Future in its report. "In other words, 92% of the suspicious IP addresses identified with this method were not identified by current blacklists. Of the 117 addresses, 67 were classified as inbound and 50 as outbound, and 12 of the 117 addresses occurred on multiple blacklists."The report identifies clusters of IP addresses with which Wiper, Dyre, and other malware are associated. Significantly, Recorded Future's methodology can take this analysis one step further by exploring who plans to exploit the suspicious IP addresses and what tools those actors intend to use. Such a capability could benefit the field of threat intelligence more generally.
"By incorporating this information into the Recorded Future index we can provide it to threat intelligence analysts and also feed it into SIEM systems for improved risk scoring of IP addresses," the report concludes. "This novel approach enables threats to be detected faster and more accurately."To read the entirety of Recorded Future's analysis, please click here.