In the early days of PassiveTotal, we simply displayed passive DNS results inside of an HTML table. This was fine at first, but as time went on, we noticed that we were spending a lot of effort focusing on each date, mapping it to our research and trying to ensure the domain or IP we were analyzing actually fit within our timeline. We made mistakes, missed minor changes and completely failed to observe the data in its natural form, a heatmap.
According to a study published in January of 2014 by MIT, the human brain is capable of processing an entire image in as little as 13 milliseconds of exposure. When Steve and I designed the heatmap, we did so with that thought in our heads. If we could find a way to turn six months of raw data into a color-coded, static image, then in theory, we as analysts could interpret results faster; maybe not 13 milliseconds fast, but certainly a lot faster than parsing a table.
To better explain the heatmaps, we have picked two example indicators used in targeted attacks, microsoft-outlook.org and 184.108.40.206. Since domains and IP addresses have their own respective properties, the data will be slightly different, but the look will be the same.
Without having any actual passive DNS data, its possible to instantly glean several details about this domain:
- In mid-December, the domain resolved to a routable and non-routable IP address for 6 days in a row
- In mid-January, the domain resolved to a never-before-seen routable address and a non-routable address just for a single day
- As of today, the domain is actively resolving to a non-routable address
The heatmap aids analysts in where to focus their research and generates questions that would normally go overlooked simply by viewing the raw data in a table. As an analyst myself, my first point of focus would be the one day in January where a new address was introduced and exposed. Was an attack conducted that day? Did the operators swap over to new infrastructure accidently? How come the domain never seemed to resolve to a routable address again?
Beyond the static components of the heatmap, we also provide the ability to get the exact date and unique resolving addresses for the day by hovering over each square. On 01/21/2015, I can see microsoft-outlook.org resolved to 220.127.116.11.
As mentioned before, because domains and IP addresses have different properties, we map different data points. When querying for an IP address, the heatmap will show dynamic DNS and registered (purchased through a registrar) domains. Based on this heatmap, we can glean the following:
- In mid-January, two registered domains began resolving to 18.104.22.168
- Almost a week from the first domain associations, a new dynamic DNS domain can be seen resolving to 22.214.171.124
- At the start of April, a new dynamic DNS domain was seen resolving to 126.96.36.199
Given the previous context from the first heatmap, we know that at least one of the domains on January 21st was microsoft-outlook.org. Hovering over that square reveals www.trendmicro-update.org, yet another domain used in targeted attacks and potentially by the same set of actors.
As an analyst, my focus now lies on the fact that two registered domains resolved to this address for one day, while the rest of the data shows the use of a dynamic DNS provider. Again, did the operators make a mistake? Is there further overlap between trendmicro-update.org and microsoft-outlook.org? Did the operators decide to start using dynamic DNS as a way to help reduce insight into their infrastructure?
Steve and I have been using our new heatmap design for the past several months and its changed the way we do research. What used to take hours of analysis can now sometimes be solved within the first few seconds of seeing the image on the results page and thats before we even get to the actual data. We know the idea is different and may take some getting used to, but hope it's able to help others like it has us. Expect to see gradual changes in the feature over the coming months.