Connecting Dots with SSL Certificates: Finding Threat Actors with Graph Theory

Infoblox describes a certificate-driven threat-intelligence pipeline that uses Certificate Transparency logs and graph analysis of SSL/TLS SAN fields to link domains into connected components, enabling discovery and prioritization of malicious infrastructure, attribution and consolidation of threat actor identities, and expansion of coverage via association; the report includes concrete discoveries such as a 109-domain Apple lookalike cluster, 174 e-commerce scam sites, RDGA-generated domains, and various crypto/Google/Telegram impersonation domains.