Equipping Defenders: The Strategic Value of Adversary Infrastructure Intelligence

In the world of cybersecurity, understanding adversary infrastructure is critical for defenders and researchers tracking adversary operations. We use the term “adversary infrastructure” to refer to any infrastructure that is established by or commandeered by adversaries to support their operations. This includes command and control (C2) servers, open web directories hosting malicious files, and residential and IoT devices recruited into botnets or used to route malicious traffic while obfuscating its true origins.

Much threat research is and has historically been focused on malware analysis and reverse engineering, concentrating on actor behavior and attack mechanics. This is useful for understanding the actor’s objectives and tradecraft, but in addition to this “micro” view of adversary activity, a broader, more “macro” view provided by infrastructure tracking can also be incredibly helpful. It offers a complementary perspective that sheds additional light on actor tactics and often provides pivot points for researchers seeking to ...