Infrastructure Diversity — Hunting In Shared Infrastructure


Hunting Shared Infrastructure

Identifying Shared Infrastructure

After Discovery

  • Are there other suspicious features of the domain (age, reputation, categorization, VT hits, threat data match, etc)
  • Is the traffic regularly repeating? If so, at what time intervals?
  • For any content we can see (not encrypted), what type of activity is performed?
  • Is the activity limited to certain internal ranges / subnets?
  • How many assets do I see this activity originating from and how many requests per 24 hr period? If you are an MSSP, have you seen this in other customers, or in the same industry based customers before?

Red Team Lessons

Wrap Up




Tech: Threat Intel | Photographer @

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Data protection during COVID-19: Can we reconcile data protection and infection protection in…

In a GDPR Era, How Do I Book a Seat at the Edinburgh Festival Without Revealing My Seat Number?

Migration Of ADFS to AZURE AD Authentication in Tridion 9.1

Claim Your Beta Test Bounty!

PXG.eth Domains. Verified NFT Avatars Built Upon ENS.

A Rusty Key: At The Core of Cybersecurity is Random Numbers

Which Method Has Done More To Reduce Bandwidth/Data Than Any Other?

{UPDATE} CharacterCrush Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Justin Warner

Justin Warner

Tech: Threat Intel | Photographer @

More from Medium

Automating Intelligence-Driven Threat Hunting without a SOAR

A sample rule

Telegram OSINT: Generating a data ‘backbone’ for investigation

What is the difference between a STIX Domain and STIX Cyber-Observable Objects?

Advanced Purple Teaming