Hashes or it Didn't Happen

Analyst

Hashes or it Didn’t Happen

May 03, 2016

By Steve Ginty

If you've been in the trenches of cyber security research, you may be familiar with the phrase, hashes or it didnt happen. Its a testament to the importance of having malware when conducting an investigation and its something PassiveTotal has historically lacked inside the platform. Our focus has always been to provide the most comprehensive infrastructure solution while working with companies dedicated to the processing malware to fill our gaps. Starting today, we are happy to announce that Proofpoint Emerging Threats data will be available to all users within PassiveTotal.

Emerging Threats is a household name in the cyber security community and has been processing malicious samples in their sandboxes for years. Partnering with them lets us connect those millions of samples with command and control data directly to the infrastructure being queried inside of PassiveTotal. In short, you will notice the Potential Malware tab showing up a lot more in your search results with a lot more malware leads.

Fortunately for us and our community, Emerging Threats also kept the resolution data with timestamps when they ran the samples, so in a way, they created a very specific historic DNS database. Weve taken this data and wrapped it up inside a module to create a new source of passive DNS appropriately labeled emerging_threats. Similar to our other sources of passive DNS, this will show up when running queries and should provide even more research leads.

How do I get this data?

Easy, just run queries like you normally would. When we pushed the Emerging Threats module out to the production servers, we also modified the allowed sources for each account to include Emerging Threats. This source will now be on by default for all new and existing accounts, but can easily be toggled off from within the API associations settings in your account.

In order to access the malware data, you will need to run a query that hits in the Emerging Threats database. If data is found, we will populate the Potential Malware tab with the source of data and the hash. In order to view the details of the file and respective sandbox run, you will need access to Proofpoints threat intelligence portal, but at the very least, its a good lead in knowing some malware exists.

Hashes for All

Running sandboxes at scale and processing a near infinite amount of samples was not something we wanted to focus on because we saw a rich selection of open source, commercial and private repositories that the community was accessing. Emerging Threats is certainly one of the leaders in our industry and we couldnt be happier to be working with them. If you have any questions or comments related to this new set of data, please reach out to feedback@passivetotal.org.

Featured Posts

External Threat Management

The RiskIQ Intelligence Connector for Microsoft Azure Sentinel Is the Context-Rich Force Multiplier Security Teams Need

Digital initiatives have changed the enterprise attack surface and how organizations appear online, both to users and malicious actors. Meanwhile, the threat landscape has evo...

#TwitterHack: How RiskIQ Data Exposed Hundreds of Domains Belonging to the Attackers

The discussions in the coming days and weeks surrounding yesterday's large-scale compromise of verified Twitter accounts, including those of Joe Biden, Barack Obama, and Bill G...

Partner Deep-Dive: RiskIQ Security Intelligence Services for Splunk

The average organization's digital presence has exploded in size. Even before COVID-19 spread their staff and operations outside the firewall, businesses were rapidly migrating...

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor

RiskIQ Illuminate® Datasheet

RiskIQ Illuminate® Datasheet

COVID-19 Solution Brief

5-Questions Security Intelligence Must Answer

5-Questions Security Intelligence Must Answer