Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
RiskIQ Digital Threat Management Platform Datasheet
Learn about our platform and products.
Read the Datasheet
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
March 28, 2017, Mike Browning
Civil society groups such as journalists, humanitarians, and activists face the same level of threat from targeted digital espionage as major companies and governments but have fewer resources to defend themselves. The Citizen Lab, an interdisciplinary research group based at the Munk School of Global Affairs, University of Toronto, is their guardian.
Often, threat actors that target civil society groups also go after well-resourced governments and businesses and are equipped accordingly. But their civil society victims are usually limited in their capacity to identify and mitigate threats, even when the consequences can mean imprisonment or physical harm.
RiskIQ PassiveTotal™ helps the Citizen Lab enrich its investigations of targeted espionage operations by mapping their infrastructure and noting how it changes. The unique Internet data sets in PassiveTotal—such as Host Pairs, WHOIS, and DNS—are sorted, classified, and monitored over time to provide a complete picture of digital adversaries. Infrastructure chaining, a process that leverages the relationships between these highly connected data sets to build out a thorough investigation, allows the Citizen Lab to surface new connections, group similar attack activity, and substantiate assumptions.
Starting with a single point, these analysts can look at any connected data sets to find more indicators. As they branch out at each stage of the investigation, they form a link back to the original starting point. This process uses the highly connected nature of internet data to expand one indicator into many based on overlapping details or shared characteristics, and is self-documenting in the sense that any other analyst can see how connections were made from one data set to the next.
One of the first steps Citizen Lab researchers take when examining a new sample of malware or phishing is quickly looking for related infrastructure inside PassiveTotal’s web interface and Maltego Transforms, which can provide unmatched insight into the behavior of the threat actors they’re tracking:
Fig-1 Domains linked to Scarlet Mimic identified with a PassiveTotal search graphed in Maltego
Pivoting across PassiveTotal datasets lets Citizen Lab researchers identify changes in attacker behavior that can help them anticipate and prevent future attacks. For example, finding repurposed parts of known malware command and control infrastructure in phishing attacks indicates a shift in tactics from targeted malware campaigns to conventional phishing. This intelligence would then help the Citizen Lab recommend defensive measures such as using two-factor authentication and avoiding sending and receiving file attachments by email.
With PassiveTotal, the Citizen Lab recently linked an intrusion attempt on UAE civil rights activist Ahmed Mansoor to infrastructure operated by NSO Group, a vendor of commercial spyware for governments. The investigation led to Apple releasing an out of band patch for IOS, as well as international media coverage of how some commercial surveillance products sold exclusively to governments are being used against civil society:
Fig-2 A Citizen Lab public project inside RiskIQ Community for operation “Stealth Falcon”
Since 2009, RiskIQ has been collecting data from web pages, global sensors, and a robust proxy network to provide analysts with a look back in time at how a given part of the internet once appeared. PassiveTotal supports the concept of infrastructure chaining and extracts all RiskIQ data into one single platform, so analysts can spend their time focusing on threats to their organizations and not data collection/processing.
For more about how the Citizen Lab researchers use PassiveTotal to enrich the analysis of targeted threats against civil society, including images and links to their public projects, visit the Citizen Lab’s case study. To visit the Citizen Lab’s public projects and to start pivoting for yourself, sign up for a free RiskIQ Community account today.