August 04, 2015
As organizations increasingly find themselves defending their networks against a multitude of attacks, the need to make a confident and quick assessment of an attack or the motivations of actors can be critical to mounting appropriate defenses. Threat actor-based data collected from Deep & Dark Web forums, sharing networks and exchanges, however, can shed a unique light on illicit communities and offers analysts additional context and understanding surrounding potentially threatening activity against infrastructure.
With this current threat environment in mind, PassiveTotal and Flashpoint are excited to announce a partnership that will bring threaet actor based threat intelligence to the PassiveTotal platform. Through this partnership, Flashpoint customers will now be able to access integrated intelligence on illicit actors and activity from the dark web while conducting threat infrastructure research in the PassiveTotal platform.
Starting today, Flashpoint customers can associate their API credentials to their account using our API associations page. Once validated, analysts will now have Flashpoints vast repository of Deep & Dark Web data readily available while conducting threat infrastructure analysis. When searching for a domain or IP address, PassiveTotal will actively query Flashpoints intelligence repository to see if they associate entity of interest with any known malicious activity. If data is available, PassiveTotal will dynamically tag the entity with a Flashpoint tag and display Flashpoint intelligence data within a tab in the platform allowing easy access to the data with no need to leave PassiveTotal.
Flashpoints integration into PassiveTotal ensures that researchers can glean new insight into infrastructure threats enabling them to make decisions more rapidly and respond to those threats with greater precision. Were pleased to bring this new level of insight into threat infrastructure analysis and plan on continuing to enrich PassiveTotal with the additional context provided by Flashpoints expanding Deep & Dark Web data.
July 28, 2015
Your network security team just informed you they found malicious code on the network beaconing to 184.108.40.206. First thought, what other infrastructure might be related to the IP address? Naturally, if one data point is good than hundreds must be better. You notice the IP address is part of a larger class C address space (220.127.116.11/24), so you scan the entire subnet and wait for results. Just then, your co-worker comes by and tells you to block the whole 38478 autonomous system because it's known to be bad. Sound's great...No!
One common question we get at PassiveTotal is why we don't allow for subnet and AS searches. The reason is simple, we don't view them as strong enough data points when attempting to connect potentially unrelated infrastructure. Using the example introduced above, we will walk through the issues in considering subnets and autonomous systems.
18.104.22.168 is part of a class C network which means there are 254 other IP addresses as part of that allocation. Depending on the provider, it's possible that there could be some related IP addresses, but there's no guarantee they are contiguous or a clear indication of when the addresses were allocated. Furthermore, looking at the autonomous system name, it appears the allocation is controlled by SunnyVision Limited Internet Service Provider located in Hong Kong. Does this ISP service businesses only? What about individual customers? Could our IP address of interest be in some closet in an apartment building?
July 21, 2015
One of the most effective methods for tracking threat actor based attack campaigns is to take control of as much of their infrastructure as possible and remove their access to infected hosts before they can react. The processing of takeovers can vary, but often times registrars or hosting providers will provide the defenders (good guys) with the ability to re-route incoming traffic to a server they control in order to perform analysis of the compromised check-ins. This particular practice is commonly known as sinkholing.
Sinkholes are an invaluable resource in threat infrastructure research. Not only do they help block existing attacks and allow for responsible victim notification, but they also provide a wealth of intelligence about the attackers tools, tactics and procedures (TTPs). Unfortunately, they also serve as the perfect mechanisms for grouping potentially unrelated traffic. In order to retain sources, stay ahead of attackers and protect research, sinkhole operators will not always be forthcoming with their hosted infrastructure and thus it requires a body of knowledge by the analyst in order to recognize a sinkhole when conducting research.
Within the PassiveTotal platform, weve compiled a sinkhole registry derived from public, private and community feedback. Using our global tags, we associate a sinkhole tag to any IP address thats found within our dataset. Our repository is not exhaustive though, so weve put together a number of ways to potentially identify a sinkhole.
Check the IP
Depending on the operator, identifying a sinkhole could be as easy as viewing the content being served up on port 80. For example, 22.214.171.124 literally tells you its a sinkhole when you browse to it. Note, when connecting to potentially malicious infrastructure, use a virtual machine to avoid infection and be aware of any monitoring on your network.
July 15, 2015
If you happened to see toythieves.com, what would you think? Before spending any time performing analysis on the domain, you might want to consider that it could be a dynamic DNS provider. In fact, toythieves happens to be associated with a larger dynamic DNS provider, ChangeIP.com. Visiting their page reveals not one, but hundreds of higher-level domains you can choose from to pair with a random subdomain of your choice. The result, a free domain tied to your IP address with no set expiration time.
Dynamic DNS provides an alternative to the traditional process of managing DNS records for infrastructure that frequently changes IP addresses. Providers like ChangeIP aim to make it easy for inexperienced users to obtain a domain name at little to no cost in exchange for having to pick from a predefined list of higher-level domains like toythieves.com.
Over the past several years, cyber threat actors have started to adopt dynamic DNS infrastructure as one of their primary means of command and control. Aside from being free, dynamic DNS allows actors to quickly stand up and take down infrastructure at little cost to them and with limited overhead as compared with registering a domain through traditional means. The bi-product of this process guarantees no WHOIS information is required, no useful time frame is easily observed and that the domain will always include a mix of unrelated infrastructure data.
Knowing that a domain is or is not associated with a dynamic DNS provider can help an analyst identify valid avenues of research and also reduce the time it takes to assess if a given infrastructure is malicious. The PassiveTotal platform has an extensive repository of known dynamic DNS providers (over 4,000 unique domain names) and is constantly updating its collection via our user base and automated methods.
July 10, 2015
Over the past two weeks, we've managed to get some help and feedback from the community of PassiveTotal users. Steve and I wanted to do a quick acknowledgement of two new wrappers we have for our API and a command line tool. Thanks to everyone involved who helped, we really appreciate it!
PassiveTotal Ruby Gem
If you are a Ruby developer or are looking to integrate our code into an existing Ruby project, we now have a gem you can use. Chris Lee has kindly taken the time to produce the module and documentation which you can find here. If you are looking for idea on how to expand this, we would love a command line tool or module in Metasploit!
PassiveTotal R Package
PassiveTotal data is a great resource for looking at data over time. Bob Rudis really extended the idea of analyzing our data and created a proper R package for anyone to use. In time, he plans to add more graphing capabilities to the module, so keep an eye on the development.
July 07, 2015
Is it possible to take a complex set of data points and distill them down into a set of simple color-coded tags? For several months, Steve and I pondered what made a good data tag and how they could be used within our system. Viewing the data we have today, and our platform to do analysis, I think the answer is without a doubt, yes, we can represent a lot of complexity in a single data tag. In order to understand how we got to where we are today, its best to review some of the lessons we have learned along the way.
Social analysis missteps
The very first version of PassiveTotal was built largely around a social design. Queries were earned by accurately classifying domains or IP addresses with the majority opinion of other analysts and tags were considered a global value. When you tagged an item, anyone could see it. For some users this was great, others, not so much. The lesson we learned from the social model was that people wanted privacy with the ability to share data, not the other way around.
In our current version of PassiveTotal, instead of making all details social, we allow each user the ability to classify or data tag items without it being exposed to the rest of the community, while still providing a community classification aspect around the sinkhole, dynamic DNS and ever compromised fields. These classifications are globally gated, meaning a certain threshold of users need to agree on a value before it's pushed live to the rest of the community.
June 30, 2015
Threat research and incident response can be a lot like diving into a rabbit hole; some days its easy to start with one lead and quickly identify ten more that each take up hours of research time. The constantly evolving landscape forces analysts to bounce from one intrusion to the next, digging in deep for several weeks or sometimes just a few hours, then moving on to the next fire in an attempt to stay ahead of the attackers. In this type of rapidly changing threat environment, it can often be hard to remember critical pieces of information associated to a specific threat group you were researching six months ago or even six days ago.
In an attempt to address this gap, Brandon and I have come up with "analyst assist" - threat infrastructure analysis signatures, which can be deployed inside of your PassiveTotal enterprise account. These signatures, based on regular expressions, allow an analyst to automate certain functions within the platform by picking specific fields to inspect while performing research. Using analyst assist, users can classify, alert, or tag entities based on a continually expanding set of fields. For the release of this feature, we have included networks, AS name, domains, and multiple parts of WHOIS and SSL certificate records as fields users can write signatures against. Below we outline a few examples of how we currently use these signatures in our own research.
WHOIS data can be a great resource in finding new or existing domains registered by intrusion sets with poor operational security. Using signatures deployed through analyst assist and the Parsed WHOIS data provided by our partner, DomainTools, users can quickly triage and automate the discovery and tagging of domains by keying in on specific details like the registrant email or the registrant name. For example, the signature below will automatically tag any domain with Malicious_Registrant if it were registered using the email address, 46313@qq[.]com. Simply viewing the domain will cause the tag to automatically appear therefore informing the user of the finding.
June 24, 2015
Steve and I love Slack. We use it for nearly everything in PassiveTotal from server monitoring alerts to source control reporting to daily chatting about new features or upcoming meetings. So, naturally, Slack is our go-to place to discuss threat-based research. When a new report comes out, we go over the findings, action any data inside the platform and carry on with business as usual. That works great, only there's one problem, why should we always need to leave the platform? Inspired by the great folks at Github, we've decided to put together a set of PassiveTotal Hubot scripts to work with our API.
The current implementation largely sticks to the present API capabilities, but we plan to add more as we identify more use cases. We see these sort of integrations as small, but really useful. Just last week, Palo Alto's Unit 42 released their Lotus Blossom report. One of the first things Steve asked me was if I had gone through and used our bulk upload service to handle all the indicators. Without leaving chat, I was able to quickly get the tags for a specific domain mentioned in the report. Grab some metadata for an IP address and then get a snippet of passive data.
Interested in using the PassiveTotal bot in your own channels? You can checkout our source code (includes other helper libraries) in the passivetotal_tools account or you can head over to npm to grab the coffescript. If you are new to the whole bot-based process in Slack, we recommend you check out their great documentation here as there are a few steps that require you to access your Slack account. We've tried to make the bot flexibile in the commmands it can process, but if you have more ideas, feel free to fork and submit pull requests back!
Looking for more Hubot scripts to aid in your research? Check these out.
June 18, 2015
PassiveTotal strives to simplify threat infrastructure analysis, reduce analyst assessment time, and provide relevant information to assist in analysis, no matter how you access our data set. Brandon and I realize that a significant amount of our user base conducts threat infrastructure analysis using Patervas graph-based analysis tool, Maltego. Maltego assists analysts in visualizing threat infrastructure through link/node connections and allows for multiple data sources to be combined into a single interactive graph. This tool can be especially helpful when analyzing a complex infrastructure by visually aiding analysts in connecting disparate data sets.
With the above goals in mind, today we release a new set of transforms to go along with our new API via our partner, Malformity Labs. These transforms are available through the Paterva hub and should work on both community and enterprise versions of Maltego.
Within our updated transform set, users have the same data access as available in our API, but with some extra benefits, such as transforms to identify SSL certificates. These filters allow an analysts to target their transform query to avoid unnecessarily cluttering of their Maltego graph with data that is not relevant to their investigation.
Finally, weve now included the ability for analysts to push data back into PassiveTotal directly from their Maltego chart without opening a browser. Analysts can persist classifications and tag values on any domain or IP address simply by running the appropriate transform. Brandon and I consider the feedback loop to be one of the biggest values to PassiveTotal as it builds a repository of analysis that continues to show up alongside new research efforts.