The Forrester Wave™: Digital Risk Monitoring, Q3 2016 named RiskIQ a leader in Digital Risk Monitoring, and gave RiskIQ top ranking for Current Offering & Data Coverage.
Download the Report
Get vast internet data sets and advanced analytics to hunt digital threats and defend your company’s digital footprint.
Get RiskIQ Community Edition
Get the Analyst Report
Putting Digital Threat Investigation and Response into Hyperdrive
Join the SANS webcast on June 29 at 3:30 p.m. ET/12:30 p.m. PT.
Save Your Seat
March 14, 2017, Mike Browning
To try pivoting across RiskIQ’s unique internet data sets for yourself, sign up for RiskIQ Community Today.
Internet data sets help digital threat hunters investigate and expose the infrastructure being used by attackers against their organization so they can find, block, and prevent attacks.
Every day, security professionals are leveraging the relationships between the highly connected data collected by RiskIQ, pivoting on the unique data sets in PassiveTotal to surface new connections, group similar attack activity, and substantiate assumptions during incident response. Recently, there has been an abundance of examples of researchers using PassiveTotal to uncover clues that unmask the threat actors targeting them.
While researching the Nebula EK, threat researcher John Swanson used PassiveTotal to research a known Nebula EK delivery subdomain linked to the Yugoslavian Business Network. From this one artifact, he determined a trove of information crucial to his investigation:
Fig-1 WHOIS information for the subdomain listed in PassiveTotal
Swanson found an identical 114 domains registered with “Kreb’s” firstname.lastname@example.org e-mail address and phone number. Pivoting on these domains returned only one IP address, which meant the group relied heavily on subdomains. This information provided crucial context to his investigation, which ultimately helped him conclude that that Nebula is a new iteration on the Sundown exploit kit, probably operated by the Yugoslavian Business Group or a closely related group of actors.
You can see Swanson’s public project here.
According to ClearSky Cyber Security, RiskIQ’s Host Pairs data set helped uncover infrastructure belonging to a threat group targeting Israel Electric Company, the largest supplier of electrical power in Israel. Host pairs are a unique PassiveTotal data set, the connections of which can range from a top-level redirect (HTTP 302) to something more complex like an iframe or script source reference. What makes this data set compelling is it gives researchers the ability to understand relationships between hosts based on details from visiting the actual page. Host Pairs relies on knowing web site content, so it’s likely to surface different values that other sources like passive DNS and SSL certificates do not.
According to ClearSky’s blog, between April 2016 and February 2017, the threat group spread malware via breached Israeli websites, as well as self-hosted and cloud-based sites. Within the site journey-in-israel[.]com, the attackers inserted an exploit code for CVE-2014-6332, a Windows code execution vulnerability. The attackers also registered and built the malicious websites:
sourcefarge[.]net (similar to legitimate software website sourceforge.net)
According to PassiveTotal, the latter was redirecting to journey-in-israel[.]com and iec-co-il[.]com, which is confirmed below:
Fig-2 The Host Pairs data set shows “sourcefarge” pointing to the malicious URLs via a redirect
The PassiveTotal public project for this campaign, dubbed “Operation Electric Powder,” which includes all the artifacts used by the threat actors, can be found here.
Host pairs were also used in an investigation of threat actors installing unauthorized code on the websites of Polish banking establishments and using them against the computer systems of global monetary institutions. According to a report by the Wall Street Journal, these attacks share traits with the 2014 assault on Sony Corp linked to the Lazarus Group.
A preliminary investigation by BadCyber suggests that the starting point for the infection could have been located on the web server of Polish financial sector regulatory body, Polish Financial Supervision Authority (www.knf.gov.pl). Due to a slight modification of one of the local JS files, an external JS file was loaded, which could have executed malicious code on selected targets.
The investigation used PassiveTotal’s Host Pairs to confirm that the attack originated from external sources. Below, under the “Host Pairs” tab in PassiveTotal, you can see RiskIQ crawlers observed the KNF website pointing to the malicious URLS via an iframe:
Fig-3 Host Pairs show the KNF.gov website referencing two URLs cited as malicious by BadCyber
PassiveTotal’s ever-expanding data provides new context to adversaries’ infrastructure and now includes deeper monitoring capabilities. Security teams can be alerted in real-time to changes in DNS and domain resolution, WHOIS registration, and the appearance of other new keywords of interest. The latest release also includes a project workflow to quickly organize and group related threat infrastructure components found during investigations. This allows analysts and research teams to be more effective and agile in their investigations.
For more on RiskIQ’s unique internet data sets, download Using Internet Data Sets to Understand Digital Threats.