PassiveTotal: Core to the Citizen Lab's Infrastructure Analysis Workflow

PassiveTotal: Part of the Citizen Lab’s Core Workflow

March 28, 2017, Mike Browning

Civil society groups such as journalists, humanitarians, and activists face the same level of threat from targeted digital espionage as major companies and governments but have fewer resources to defend themselves. The Citizen Lab, an interdisciplinary research group based at the Munk School of Global Affairs, University of Toronto, is their guardian.

Often, threat actors that target civil society groups also go after well-resourced governments and businesses and are equipped accordingly. But their civil society victims are usually limited in their capacity to identify and mitigate threats, even when the consequences can mean imprisonment or physical harm.

Infrastructure Chaining with PassiveTotal

RiskIQ PassiveTotal™ helps the Citizen Lab enrich its investigations of targeted espionage operations by mapping their infrastructure and noting how it changes. The unique Internet data sets in PassiveTotal—such as Host Pairs, WHOIS, and DNS—are sorted, classified, and monitored over time to provide a complete picture of digital adversaries. Infrastructure chaining, a process that leverages the relationships between these highly connected data sets to build out a thorough investigation, allows the Citizen Lab to surface new connections, group similar attack activity, and substantiate assumptions.

Starting with a single point, these analysts can look at any connected data sets to find more indicators. As they branch out at each stage of the investigation, they form a link back to the original starting point. This process uses the highly connected nature of internet data to expand one indicator into many based on overlapping details or shared characteristics, and is self-documenting in the sense that any other analyst can see how connections were made from one data set to the next.

One of the first steps Citizen Lab researchers take when examining a new sample of malware or phishing is quickly looking for related infrastructure inside PassiveTotal’s web interface and Maltego Transforms, which can provide unmatched insight into the behavior of the threat actors they’re tracking:

RiskIQ's PassiveTotal™ helps the Citizen Lab analysts enrich their infrastructure analysis of targeted espionage operations.

Fig-1 Domains linked to Scarlet Mimic identified with a PassiveTotal search graphed in Maltego

Pivoting across PassiveTotal datasets lets Citizen Lab researchers identify changes in attacker behavior that can help them anticipate and prevent future attacks. For example, finding repurposed parts of known malware command and control infrastructure in phishing attacks indicates a shift in tactics from targeted malware campaigns to conventional phishing. This intelligence would then help the Citizen Lab recommend defensive measures such as using two-factor authentication and avoiding sending and receiving file attachments by email.

The Citizen Lab in Action

With PassiveTotal, the Citizen Lab recently linked an intrusion attempt on UAE civil rights activist Ahmed Mansoor to infrastructure operated by NSO Group, a vendor of commercial spyware for governments. The investigation led to Apple releasing an out of band patch for IOS, as well as international media coverage of how some commercial surveillance products sold exclusively to governments are being used against civil society:

RiskIQ's PassiveTotal™ helps the Citizen Lab analysts enrich their infrastructure analysis of targeted espionage operations.

Fig-2 A Citizen Lab public project inside RiskIQ Community for operation “Stealth Falcon”

Start Pivoting Like the Citizen Lab

Since 2009, RiskIQ has been collecting data from web pages, global sensors, and a robust proxy network to provide analysts with a look back in time at how a given part of the internet once appeared. PassiveTotal supports the concept of infrastructure chaining and extracts all RiskIQ data into one single platform, so analysts can spend their time focusing on threats to their organizations and not data collection/processing.

For more about how the Citizen Lab researchers use PassiveTotal to enrich the analysis of targeted threats against civil society, including images and links to their public projects, visit the Citizen Lab’s case study. To visit the Citizen Lab’s public projects and to start pivoting for yourself, sign up for a free RiskIQ Community account today.