- The analytic requires as input a known compromised host that was used or is being used as a relay, and we’ll call this the “known relay”. This forms the root node in our graph, and our search expands out from there.
- The analytic first looks up the list of distinct IP addresses with which that the known relay communicates. We’ll call these hosts the “potential victims”.
- The analytic next looks up all the distinct IP addresses that the potential victims talk to, which are the next set of nodes in the graph or tree. We’ll call these hosts the “potential next relays”.
- Finally the analytic returns back the potential next relays that interact with at least 80% (configurable) of the potential victims. These are the potential next relays of interest because they are interacting with a large segment of the potential victims that communicated with the known compromised relay in #1. So therefore these potential next relays are guilty by association and should be focus areas as the investigation continues.
Visit the Series Intro to see a complete list of the analytics covered.