Silent Push says traditional threat intelligence mostly sees attacks after they happen, while the Context Graph is designed to surface adversary infrastructure during the preparation phase before weaponization. The webinar highlights how IOFA, PADNS, and deterministic data help teams prevent attacks earlier, with Salt Typhoon used as an example of finding staging infrastructure months before public disclosure. #SilentPush #ContextGraph #IOFA #PADNS #SaltTyphoon
Keypoints
- Traditional threat intelligence often arrives too late, capturing only the final portion of an attack after IOCs appear.
- The Silent Push Context Graph is built to detect adversary infrastructure during the preparation phase before an attack is launched.
- Silent Push uses PADNS and related data sources such as WHOIS, host scans, SSL certificates, honeypots, and ASN information to identify staging infrastructure early.
- The Salt Typhoon example showed that Silent Push identified the same infrastructure cluster more than two months before DarkTrace’s public findings and an average of 104 days before weaponization.
- IOCs and Indicators of Future Attack (IOFA) are complementary: IOCs describe what already happened, while IOFA shows what is being built and where it may be used next.
- The Context Graph integrates with SIEM, SOAR, EDLs, and APIs to automate blocking, enrichment, triage, and response using live infrastructure context.
- Deterministic data and internal telemetry can seed a “security infinity loop” that improves hunting, monitoring, and prevention over time.
MITRE Techniques
- [T1583.001] Acquire Infrastructure: Domains – Adversaries register domains in advance of a campaign as part of staging infrastructure, leaving detectable operational patterns (‘registering domains’).
- [T1583.004] Acquire Infrastructure: Server – Adversaries configure servers and supporting infrastructure before launching attacks (‘configuring servers’).
- [T1587.001] Develop Capabilities: Malware – The article frames attack preparation as building infrastructure before a phishing or C2 operation, which is consistent with pre-attack capability development (‘Before a phishing campaign hits an inbox or a command-and-control (C2) server receives its first callback’).
- [T1071.001] Application Layer Protocol: Web Protocols – The article references command-and-control callbacks and DNS-based infrastructure tracking used to identify adversary communications and staging behavior (‘command-and-control (C2) server receives its first callback’).
- [T1585.001] Establish Accounts: Social Media Accounts – The article does not directly describe account creation, but it does describe infrastructure preparation and operational staging that may support later phishing operations (‘Before a phishing campaign hits an inbox’).
Indicators of Compromise
- [Domains] Infrastructure tracking and pivots for adversary clusters – related hostnames and registered domains
- [IP addresses] Internal telemetry used to seed the intelligence loop and pivot to related infrastructure – 10,000 external IP addresses, and other IPs referenced in alert data
- [Infrastructure metadata] DNS/WHOIS/SSL/ASN context used to identify staging infrastructure – DNS history, WHOIS records, SSL certificates, ASN information, and host scan data
- [File names / hashes] No specific file names or hashes were mentioned in the article – not provided
- [IP/domain clusters] Salt Typhoon-related staging infrastructure identified before public disclosure – same cluster found in May, activity noted back to July
Read more: https://www.silentpush.com/blog/five-things/?utm_source=rss&utm_medium=rss&utm_campaign=five-things