Organizations around the world use PassiveTotal daily to drive investigations of cyber security incidents. By leveraging the relationships between the highly connected data collected by RiskIQ inside the PassiveTotal platform—pivoting on its unique data sets to surface new connections, group similar attack activity, and substantiate assumptions for each indicator of compromise (IOC)—analysts are well equipped to defend their organizations from a growing array of digital threats.
For many organizations, PassiveTotal replaces a manual, highly segmented workflow comprised of a cocktail of different tools. Rackspace, a recognized leader in managed cloud services with customers in 150 countries, is no different, deploying RiskIQ PassiveTotal to improve its ability to find, analyze, preempt, and respond to cyber threats beyond the firewall. Initially, Rackspace found it cumbersome and inefficient to obtain and utilize different sources of internet data sets, such as WHOIS, Passive DNS, and IP blacklists, to research exploits and possible hacking threats. PassiveTotal unifies all of these data sets, continuously collecting, correlating, classifying, and monitoring the data, giving analysts a single view, and alleviating the need to visit or subscribe to multiple tools and data feeds.
PassiveTotal data, which 84% of surveyed RiskIQ customers said was the more comprehensive than other sources, also provides unique data sets derived from data captured during RiskIQ virtual user crawling sessions. These include trackers, hashes, and host pairs, which are generated when RiskIQ crawling infrastructure identifies references or redirections on a page to other websites. Host pairs played a significant role in investigating and confirming an attack on the Polish Banking system earlier this year.
Using PassiveTotal, Rackspace began saving time on each investigation, joining a growing list of RiskIQ users who are becoming agiler and time-efficient in their investigations. The customer survey by RiskIQ also revealed that every respondent saved at least 1-3 hours a week on cyber threat investigations. Rackspace saves even more time by utilizing PassiveTotal projects and monitors, proactively alerting their cyber security teams to changes in DNS and domain resolution, WHOIS registration, and the appearance of other new keywords of interest. PassiveTotal projects can also quickly organize and group related cyber threat infrastructure components found during investigations.
Given its success with PassiveTotal, Rackspace plans to further leverage the platform’s API to automate data analysis and enrich indicators of compromise to provide an external context within its own applications and anticipates expanding the use of RiskIQ’s product line. This will enable their cyber security teams to manage their digital attack surface, remediate vulnerabilities, detect external threats like phishing, domain infringement, and brand abuse, and mitigate them with the speed and efficiency that only RiskIQ can deliver.