See it Live: How RiskIQ Host Pairs Confirm the Lazarus Group Attacks
Get vast internet data sets and advanced analytics to hunt digital threats and defend your company’s digital footprint.
Get RiskIQ Community Edition
Malvertising increased 132% in 2016… Download RiskIQ’s 2016 Malvertising Report to see a breakdown of how threat actor methods are trending.
Get the Report
RiskIQ Best Practices Forum – Get the Most Out of Your RiskIQ Investment
Join us in San Diego April 11-13.
December 14, 2016, Brandon Dixon
PassiveTotal monitors are like automated analysts that keep track of indicators you find interesting and let you know if and when they change. When we introduced a ‘lite’ monitoring capability last year to the PassiveTotal community, the platform sent out thousands of results that may have been missed otherwise. That’s why when redesigning PassiveTotal, we felt it was important to expand our monitoring capability and take it to the next level. We’re excited to announce the debut of enhanced WHOIS monitoring and keyword query support.
With new WHOIS monitors inside the platform, analysts can now proactively stay ahead of their adversaries, enabling them to do more with less. Starting today, users can register monitors against WHOIS records in three different ways:
To illustrate the value of these new monitors, consider the following examples.
Fig-1 Project with WHOIS details being monitored
During your investigation, you identify a malicious domain used for command and control. From RiskIQ’s passive DNS data, PassiveTotal reveals the email address, “email@example.com”, as the registrant of the domain using the start of authority record (SOA). Leveraging the new WHOIS monitors, you place a monitor on the WHOIS email field.
Fig-2 Sample results from the WHOIS monitors
Several days later, you receive a PassiveTotal alert letting you know a new, unknown domain was registered using the email address. A quick look at the registrant alerts reveals that this actor appears to be typosquatting multiple legitimate websites, possibly as part of a larger phishing campaign.
Fig-3 Sample project focused on monitoring the PassiveTotal brand
As a senior member of the risk team within your company, it’s critical that you identify anyone using your brand in unsanctioned or nefarious ways. Keeping track of all the new domains registered on a daily basis is difficult, time-consuming, and tedious. Using the new WHOIS keyword monitors inside of PassiveTotal, automation is just a click away. Shortly after registering your company’s name as a keyword, you receive several alerts outlining new domains that have used your company’s name inside of the “organization” and “email” field of the WHOIS record.
Using PassiveTotal, you identify that a few of these domains are part of a new marketing initiative and legitimate, but several are linked to open source reporting (OSINT) and mention malicious activity. Without monitors, these domains could have gone unnoticed and brought negative attention to your company.
Fig-4 Alert matches from passive DNS keyword monitors
Along with WHOIS alerting, we also added keyword support of newly observed hostnames based on RiskIQ’s vast array of passive DNS sensors distributed across the globe. As data is processed inside of our local databases, we identify new hostnames never seen before and look for any keyword hits based on user monitors. This capability opens up a range of uses including looking for company brand terms, subdomain infringement, specific actor patterns, and keywords based on current events.
When we first launched monitors, it made sense to simply place them on the search results of domains and IP addresses. With the new redesign of PassiveTotal, we wanted to integrate the monitors in a way that felt natural to the analyst workflow. In nearly all cases, users who used monitors were grouping their activity based on a threat group, campaign, or specific theme. Once we noticed this behavior, we decided to also include monitors as an extension of PassiveTotal projects in the form of monitoring profiles.
Fig-5 Monitors as an extension of projects
Users looking to take advantage of PassiveTotal monitors simply need to create a project with the monitor profile of their choice and begin adding artifacts to it. Artifacts can be added directly from the project details page, or while performing an investigation within the platform by hovering over the indicator of interest and selecting the corresponding project. Once added, PassiveTotal will begin monitoring the artifact based on the value type and automatically alert the user, collaborator, and subscribers to any changes.
We see our enhanced level of monitors as a significant advancement in platform capability. Analysts already save time every day through the alerts they get from PassiveTotal and these new monitors now provide a way to defend against new threats proactively. By combining the concept of monitors with PassiveTotal projects, we think users will begin to discover new infrastructure they didn’t realize existed.
Sign up for a free PassiveTotal account to check out the new features, and see what else is new in the platform here. If you’re already a user, click here to login and experience our new education features.