Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
John is a tier-two threat analyst on a SOC team that consists of five analysts. John, whose team works for a public sector organization, uses RiskIQ PassiveTotal daily to aid his investigations of indicators of compromise (IOCs) with minimal false positives during incident response.
The team leverages the relationships between the highly connected data collected by RiskIQ inside the RiskIQ PassiveTotal platform, pivoting on its unique data sets to surface new connections, group similar attack activity, and substantiate assumptions for each IOC.
However, John’s team did not always use RiskIQ PassiveTotal.
Once upon a time, they used a manual, highly segmented workflow comprised of a cocktail of different tools. According to John, below is an example of what a typical incident response might have looked like for him in the pre-PassiveTotal days. We will use an IP from a recent event in which the Lazarus Group attacked Polish banking establishments as the example.
The IP 109[.]164[.]247[.]169 is flagged through IDS.
1. John logs into Domain Tools for IP WHOIS lookup, which provides WHOIS information such as the resolving host, WHOIS history, contract emails, and more:
Fig-1 WHOIS info inside DomainTools
2. In a separate tab, he opens Mnemonic for Passive DNS lookup, which pulls in domains resolving to the suspect IP:
Fig-2 DNS lookup inside Mnemonic
3. To see if there is any open source intelligence on the IP, he opens several tabs to search multiple sources, such as Phishtank, FireEye blog, Facebook, threat exchange, and more:
Fig-3 Various OSINT tools
4. Next, he opens up a new tab to check the domains he found in Mnemonic against hashes in VirusTotal:
Fig-4 Hashes inside VirusTotal
Through these steps, John was able to gather a good deal of knowledge about this IP—WHOIS information, passive DNS, OSINT, and hashes. If his initial research uncovers something interesting, John could spend more time on that area to dive deeper. Doing investigations this way can easily take anywhere from 10-15 minutes each, with up to six different sources.
Now, let’s take a look at what the same investigation would look like today, now that threat analyst, John and his team uses RiskIQ PassiveTotal.
1. John takes the flagged IP and queries it inside the RiskIQ PassiveTotal platform. Immediately, the WHOIS and passive DNS data are presented in a visual heat map.
2. Utilizing the heatmap, John can pinpoint and narrow down his investigation based on unique changes. All historical IP/Domain resolutions are displayed under resolutions allowing John to quickly observe all historical resolutions in a single view:
Fig-5 Querying the IP combines all six sources in the old method into one
3. John pivots from the domain under the ‘resolutions’ tab, which automatically will run a query on ‘sap[.]misapor[.]ch’:
Fig-6 Querying DNS data in RiskIQ PassiveTotal
The RiskIQ PassiveTotal interface displays detailed contextual information such as OSINT, RiskIQ proprietary BlackList, Malware and more, allowing John to stay inside of the platform to conduct his investigation further. The entire process is seamless and took less than a few minutes without ever having to leave the platform.
Fig-7 Data shows that threat analysts who use RiskIQ PassiveTotal save time
As seen above, by using RiskIQ PassiveTotal the time spent on this investigation was cut by more than half. On top of time savings, RiskIQ PassiveTotal aggregates data into one single view, so threat analysts like John no longer need to visit or subscribe to multiple sources.
Fig-8 Data shows that threat analysts enjoy RiskIQ PassiveTotal’s comprehensive data
In addition to the datasets presented above, RiskIQ PassiveTotal has many unique datasets derived from data captured during our virtual user crawling sessions. For example, the Host Pairs dataset is generated when RiskIQ crawling infrastructure identifies references or redirections on a page to other websites. By confirming that the attack originated from external sources, Host Pairs played a huge role in the investigation of Polish Bank hack when it showed that the malicious domain (sap[.]misapor[.]ch) was linked to a legitimate Polish bank via an iframe.
Below, you can see RiskIQ crawlers observed the KNF website pointing to two malicious URLS via an iframe:
Fig-9 The unique Host Pairs data set shows iframes pointing to external sources
RiskIQ PassiveTotal’s ever-expanding data provides new context to adversaries’ infrastructure and now includes deeper monitoring capabilities. Security teams can be alerted in real-time to changes in DNS and domain resolution, WHOIS registration, and the appearance of other new keywords of interest. The latest release also includes a project workflow to quickly organize and group related threat infrastructure components found during investigations. This allows threat analysts and research teams to be more efficient and agile in their investigations. To try it for yourself, sign up for RiskIQ Community Today.
Some organisations have a mature attack surface management programme, others are just starting on the journey, evaluating the scope of their programme and identifying where to start, notes Aaron Mog of @RiskIQ
#informationsecurity #GDPR #CyberSecurity
Get your #RSAC 2020 party started by joining RiskIQ at IGNITE, hosted by @FlashpointIntel! Register now: https://t.co/XhmW7kUCY8
Now you can see why we named it Magecart 🙃 it’s where it started in 2014. A group normally skimming data through Mage.php when a cart checkout is done, started pioneering a client-side JS skimmer.
The rest of the story can be read in our 2018 report: https://t.co/aGlU984pTU https://t.co/AwDlwdb36p
Based on data from @riskiq it appears this campaign by the Russian GRU to hack and breach Burisma in Ukraine started around 11-11-2019 (and possibly earlier) with the registration of the domain kub-gas[.]com cc @Ushadrons @file411 @IdeaGov #infosec #phishing #malware #disinfo
RiskIQ is excited to announce that growth expert Christophe Culine has joined our team as Chief Revenue Officer, leading our sales organization to great things in 2020 and beyond https://t.co/DYCAOfYeIa