PassiveTotal Projects: Investigative Case Management

PassiveTotal Projects: Investigative Case Management

December 6, 2016, Brandon Dixon

mm

When responding to security incidents, one of the primary goals of performing an investigation should be to identify the “who” behind the attack. Because of the anonymous nature of the internet, identifying the specific individuals involved may not always be possible. However, by analyzing the tactics, techniques, and procedures (TTPs) of the attackers, analysts can establish a basis of the identity of a group. Using the concept of threat groups, defenders can begin to associate indicators observed in attacks with a larger narrative. 

To mirror the process of the analyst, PassiveTotal has introduced lightweight case management in the form of “projects.” Users now have the option to create both public and private projects with names, descriptions, tags, and collaborators. PassiveTotal projects allow users to group related activity and easily collaborate with others in their organization. Projects also retain the history of an investigation over time, so as new details emerge, get researched, and added to the project, users can be sure they have an accurate audit history.

Seamless Workflow

When designing the projects feature, heavy emphasis was placed on the analyst workflow and not adding additional steps to their process. It needed to be natural and simple.

To mirror the process of the analyst, we've introduced lightweight case management in the form of PassiveTotal Projects.

Fig-1 Starting a project is a click away

While pivoting inside of PassiveTotal, users can now hover over indicators of interest and automatically add them to a new or existing project. This process not only keeps track of the indicator as well as who added it and when, but it also captures the context around where it was added from.

To mirror the process of the analyst, we've introduced lightweight case management in the form of PassiveTotal Projects.

Fig-2 Projects offer comprehensive context around each indicator

As an example of retaining context, if I searched for “www.riskiq.com,” I may view the WHOIS record to see that the domain was registered by “domains@www.riskiq.com.” At that moment, If I add that email address to my project, it would also include that I was viewing “www.riskiq.com” as my query when the addition was made.

To mirror the process of the analyst, we've introduced lightweight case management in the form of PassiveTotal Projects.

Fig-3 Deep context around why an email address was added to a project

Visiting a project’s details shows a list of all associated artifacts and a detailed history that retains all the context described above. Users within the same organization no longer need to spend time communicating back and forth. Threat actor profiles can be built within PassiveTotal as “living” sets of indicators. As new information is discovered or found, it can be added directly into the project associated with that profile.

Automatic Monitoring

Besides adding projects as a feature, we also changed the way our monitors worked and greatly enhanced the types of items that could be monitored for change. By consolidating infrastructure data into projects, users get the added benefit of automatically monitoring any of the supported artifact types. This includes indicators such as keywords, domains, IP addresses, WHOIS registrant data and more. When RiskIQ detects new information, the alerts tab will be populated within the user’s project.

To mirror the process of the analyst, we've introduced lightweight case management in the form of PassiveTotal Projects.

Fig-4 Keywords, domains, IP addresses, and WHOIS registrant data can all now be monitored

Getting alerts directly within a project means a user can easily identify how to action the alert. In some cases, it might make sense to simply add the new results to the project and move on, but other cases may warrant a deeper investigation. Clicking on the alert details will instantly kick off follow-on analysis that could lead to the surfacing of more suspicious or malicious infrastructure.

Working Together

For many in the security community, sharing information and intelligence is a large part of their daily workflow. Exchanging indicators, known group tactics, and investigation notes is commonplace but happens manually through email threads. While these processes work, they don’t lend themselves well to larger collaboration or follow-on research work. Public projects within PassiveTotal allow users to share both data and context that details the steps the analyst took to discover those indicators.

If you aren’t sure where to get started, consider exploring one of the many featured projects inside of the platform by visiting the projects link. We see projects as bridging the gap between static data about a threat actor and the evolving infrastructure they may use for their attacks. By providing users with unlimited, free public projects, we can build a community-powered knowledge base of threat data that can also be used as a starting point for proactive research.

Future of Projects

The initial release of PassiveTotal projects is just the beginning, and over the next several months, projects will continue to evolve. Our near-term goals are to add more control to projects, including the ability to subscribe for changes, copy projects directly into your account, and propose changes to existing public projects. Sign up for a free PassiveTotal account to check out the new features, and see what else is new in the platform here.

If you’re already a user, click here to login and experience our improved DNS record support.

Share This