See it Live: How RiskIQ Host Pairs Confirm the Lazarus Group Attacks
Get vast internet data sets and advanced analytics to hunt digital threats and defend your company’s digital footprint.
Get RiskIQ Community Edition
Malvertising increased 132% in 2016… Download RiskIQ’s 2016 Malvertising Report to see a breakdown of how threat actor methods are trending.
Get the Report
RiskIQ Best Practices Forum – Get the Most Out of Your RiskIQ Investment
Join us in San Diego April 11-13.
December 6, 2016, Brandon Dixon
When responding to security incidents, one of the primary goals of performing an investigation should be to identify the “who” behind the attack. Because of the anonymous nature of the internet, identifying the specific individuals involved may not always be possible. However, by analyzing the tactics, techniques, and procedures (TTPs) of the attackers, analysts can establish a basis of the identity of a group. Using the concept of threat groups, defenders can begin to associate indicators observed in attacks with a larger narrative.
To mirror the process of the analyst, PassiveTotal has introduced lightweight case management in the form of “projects.” Users now have the option to create both public and private projects with names, descriptions, tags, and collaborators. PassiveTotal projects allow users to group related activity and easily collaborate with others in their organization. Projects also retain the history of an investigation over time, so as new details emerge, get researched, and added to the project, users can be sure they have an accurate audit history.
When designing the projects feature, heavy emphasis was placed on the analyst workflow and not adding additional steps to their process. It needed to be natural and simple.
Fig-1 Starting a project is a click away
While pivoting inside of PassiveTotal, users can now hover over indicators of interest and automatically add them to a new or existing project. This process not only keeps track of the indicator as well as who added it and when, but it also captures the context around where it was added from.
Fig-2 Projects offer comprehensive context around each indicator
As an example of retaining context, if I searched for “riskiq.com,” I may view the WHOIS record to see that the domain was registered by “email@example.com.” At that moment, If I add that email address to my project, it would also include that I was viewing “riskiq.com” as my query when the addition was made.
Fig-3 Deep context around why an email address was added to a project
Visiting a project’s details shows a list of all associated artifacts and a detailed history that retains all the context described above. Users within the same organization no longer need to spend time communicating back and forth. Threat actor profiles can be built within PassiveTotal as “living” sets of indicators. As new information is discovered or found, it can be added directly into the project associated with that profile.
Besides adding projects as a feature, we also changed the way our monitors worked and greatly enhanced the types of items that could be monitored for change. By consolidating infrastructure data into projects, users get the added benefit of automatically monitoring any of the supported artifact types. This includes indicators such as keywords, domains, IP addresses, WHOIS registrant data and more. When RiskIQ detects new information, the alerts tab will be populated within the user’s project.
Fig-4 Keywords, domains, IP addresses, and WHOIS registrant data can all now be monitored
Getting alerts directly within a project means a user can easily identify how to action the alert. In some cases, it might make sense to simply add the new results to the project and move on, but other cases may warrant a deeper investigation. Clicking on the alert details will instantly kick off follow-on analysis that could lead to the surfacing of more suspicious or malicious infrastructure.
For many in the security community, sharing information and intelligence is a large part of their daily workflow. Exchanging indicators, known group tactics, and investigation notes is commonplace but happens manually through email threads. While these processes work, they don’t lend themselves well to larger collaboration or follow-on research work. Public projects within PassiveTotal allow users to share both data and context that details the steps the analyst took to discover those indicators.
If you aren’t sure where to get started, consider exploring one of the many featured projects inside of the platform by visiting the projects link. We see projects as bridging the gap between static data about a threat actor and the evolving infrastructure they may use for their attacks. By providing users with unlimited, free public projects, we can build a community-powered knowledge base of threat data that can also be used as a starting point for proactive research.
The initial release of PassiveTotal projects is just the beginning, and over the next several months, projects will continue to evolve. Our near-term goals are to add more control to projects, including the ability to subscribe for changes, copy projects directly into your account, and propose changes to existing public projects. Sign up for a free PassiveTotal account to check out the new features, and see what else is new in the platform here.
If you’re already a user, click here to login and experience our improved DNS record support.