Intelligence Methodology
IntrusionLabs reconstructs attacker behavior from raw sensor telemetry, classifies sessions by kill-chain depth, and corroborates findings against open-source threat intelligence feeds. Every enrichment carries source attribution — which database, what version, when applied — so analysts can trace any assessment back to its grounding evidence.
// Fingerprint-Based Operator Discovery
Beyond IP-, subnet-, and ASN-based clustering, IntrusionLabs computes session-level fingerprints — starting with HASSH (an MD5 of the SSH client's KEX/cipher/MAC algorithm sets). Identical HASSH across distributed actors is strong evidence of shared tooling, often a single operator running malware or a scanner across rented infrastructure spread across many ASNs and countries to defeat conventional clustering.
The hassh_cluster campaign detector promotes a fingerprint to a tracked campaign when ≥50 distinct
non-benign actors share it and those actors span ≥3 distinct /16
subnets. The dispersion check ensures we surface genuinely-distributed
operators (caught by no other detector), not single-provider hosting
farms (already caught by subnet/ASN clustering).
Read the full deep-dive at /features/operator-discovery/ — covers the why, the thresholds, the limits, and the live data.