Executive Guardian
Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
In the early days of PassiveTotal, we simply displayed passive DNS results inside of an HTML table. This was fine at first, but as time went on, we noticed that we were spending a lot of effort focusing on each date, mapping it to our research and trying to ensure the domain or IP we were analyzing actually fit within our timeline. We made mistakes, missed minor changes and completely failed to observe the data in its natural form, a heatmap.
According to a study published in January of 2014 by MIT, the human brain is capable of processing an entire image in as little as 13 milliseconds of exposure. When Steve and I designed the heatmap, we did so with that thought in our heads. If we could find a way to turn six months of raw data into a color-coded, static image, then in theory, we as analysts could interpret results faster; maybe not 13 milliseconds fast, but certainly a lot faster than parsing a table.
To better explain the heatmaps, we have picked two example indicators used in targeted attacks, microsoft-outlook.org and 103.42.13.116. Since domains and IP addresses have their own respective properties, the data will be slightly different, but the look will be the same.
Without having any actual passive DNS data, its possible to instantly glean several details about this domain:
The heatmap aids analysts in where to focus their research and generates questions that would normally go overlooked simply by viewing the raw data in a table. As an analyst myself, my first point of focus would be the one day in January where a new address was introduced and exposed. Was an attack conducted that day? Did the operators swap over to new infrastructure accidently? How come the domain never seemed to resolve to a routable address again?
Beyond the static components of the heatmap, we also provide the ability to get the exact date and unique resolving addresses for the day by hovering over each square. On 01/21/2015, I can see microsoft-outlook.org resolved to 103.42.13.116.
As mentioned before, because domains and IP addresses have different properties, we map different data points. When querying for an IP address, the heatmap will show dynamic DNS and registered (purchased through a registrar) domains. Based on this heatmap, we can glean the following:
Given the previous context from the first heatmap, we know that at least one of the domains on January 21st was microsoft-outlook.org. Hovering over that square reveals www.trendmicro-update.org, yet another domain used in targeted attacks and potentially by the same set of actors.
As an analyst, my focus now lies on the fact that two registered domains resolved to this address for one day, while the rest of the data shows the use of a dynamic DNS provider. Again, did the operators make a mistake? Is there further overlap between trendmicro-update.org and microsoft-outlook.org? Did the operators decide to start using dynamic DNS as a way to help reduce insight into their infrastructure?
Steve and I have been using our new heatmap design for the past several months and its changed the way we do research. What used to take hours of analysis can now sometimes be solved within the first few seconds of seeing the image on the results page and thats before we even get to the actual data. We know the idea is different and may take some getting used to, but hope it’s able to help others like it has us. Expect to see gradual changes in the feature over the coming months.
RiskIQFollow
RiskIQ is the leader in attack surface management. We help organizations discover, understand, and mitigate exposures across all digital channels.
RiskIQ's #COVID19 Daily Update for 4/1: ➡️Pentagon to send 2,000 ventilators to #FEMA and the #HHS ➡️US intelligence: China has under-reported cases and fatalities ➡️Carnival Cruise Line will raise ~ $6 billion in debt & equity Read the full update here: https://bit.ly/2Uv3CMV
RiskIQ's #COVID19 Daily #Cybercrime Update for 3/31: ➡️RiskIQ observed a large Iranian #malware campaign impersonating official #WHO representative ➡️#WHOIS reliability issues fueling COVID-19 cybercrime ➡️Updated #spam stats Read the full update here: https://bit.ly/2QwfRHS
"As we’re now all isolating ourselves and homebound, it means online purchases will spike and makes it a prime time for criminals." - @ydklijnsma. Read more about the 20% spike in #Magecart due to #COVID19 in @WIRED https://bit.ly/2UVaC5E
RiskIQ's #COVID19 Daily Update for 3/30: ➡️The U.S. confirms cases jumped by 108,302 (+307%) ➡️FBI warns hospitals of supply-chain scams ➡️FDA issues emergency authorization for the use of hydroxychloroquine and chloroquine Read the full update here: https://bit.ly/2Uv3CMV
According to @campuscodi, @sniko_ was able to use @PassiveTotal to link nine malicious QR code generator sites that have stolen $46,000 to three web servers, which hosted 450+ other websites—all with "shady-looking domains." Read more in @ZDNet https://zd.net/2QRPjkq
