No Hat 2025 - Gaetano Pellegrino - Every Domain Tells a Story: Automatic Attribution from Timelines

Every Domain Tells a Story: Automatic Attribution from Timelines

Attribution remains one of the most challenging and consequential problems in threat intelligence. While traditional approaches rely heavily on artefacts like malware samples and phishing lures, infrastructure elements - especially domain behaviour - offer a rich source of insight. In this talk, we present a transparent approach to attribution based on machine learning and data mining techniques. It relies on domain timelines, which capture the lifecycle events of domains over time. We introduce the concept of characteristic sets - unordered collections of unique attributes of timeline events - and show how they enable the training of interpretable attribution models using small, analyst-curated datasets. Our framework includes a noise detector and an attributor, designed to remain auditable and supportive of human decision-making. We demonstrate the approach through three case studies involving GhostEmperor, BlindEagle, and Scattered Spider, highlighting both successful attributions and edge cases. In each scenario, our model reveals infrastructure reuse and domain lifecycle traits consistent with those of threat actors. The system not only identifies domains likely linked to known actors but also explains why, offering CTI teams a fast and verifiable decision-support tool. This talk is aimed at threat intel analysts, red teamers, and researchers interested in infrastructure tracking, attacker fingerprinting, and low-volume but high-confidence attribution at scale.


Gaetano Pellegrino - Staff Threat Researcher @Zscaler

Nino Pellegrino is a Staff Threat Researcher at Zscaler’s ThreatLabz, where he investigates Advanced Persistent Threats (APTs), particularly those linked to state-sponsored or highly targeted campaigns. Before this, he worked at Infoblox as a Senior Threat Researcher, focusing on detecting cyber threats through DNS telemetry within the Global Threat Intelligence team. Earlier in his career, Nino served as a consultant for Accenture Security at Telecom Italia Mobile, where he specialised in the analysis of malware and other artefacts involved in complex security incidents. He holds a PhD in cybersecurity from Delft University of Technology (TU Delft), where his research explored the application of state machine learning techniques for threat detection in both network and endpoint telemetry. Due to the often confidential nature of threat intelligence work, public speaking opportunities are rare in this field. Nino’s most recent public talk was at HackInBo Winter Edition in 2023.


LINKS
No Hat - Website: nohat.it
No Hat - X: @nohatcon
No Hat - Bluesky: https://bsky.app/profile/nohatcon.bsk...

G. Pellegrino - Linkedin:   / gllpellegrino  
G. Pellegrino - X: @gibbersen