External Threat Management Analyst

Threat Hunting in a Post-WHOIS World

A recent Interisle Consulting Group research report, WHOIS Contact Data Availability, and Registrant Classification Study, finds that more than half of the top-level-domains under ICANN's remit are now controlled by unidentifiable parties. According to the report, "ICANN's policy has allowed registrars and registry operators to hide much more contact data than is required by the GDPR-perhaps five times as much..." 

Regardless of whether contact data is ultimately needed to maintain a secure and interoperable Internet, it is now more important than ever to leverage available threat intelligence to combat harmful cyber activity. Traditionally, WHOIS has told analysts who owns a domain. Threat hunters used to be able to use this information to pivot on names, addresses, and phone numbers to find other domains registered to the same owner. For the most part, GDPR broke that.

With WHOIS becoming significantly less useful to build out threat investigations, threat analysts must rely more frequently on other internet data sets as part of their digital tool belt. RiskIQ has made it a core part of our business to collect and correlate as much relevant Internet data as possible to supercharge threat investigations—data that's become even more valuable to analysts since the advent of the GDPR. 

Currently, our Internet Intelligence Graph, which has mapped the billions of relationships among internet components, contains eleven data sets beyond WHOIS information, including passive DNS, SSL certificates, hosts and subdomains, OSINT, host pairs, and trackers. These data sets often surface more information or connections that would have otherwise gone unnoticed and could hold the key to blowing open an investigation.

How does this work? 

Doing any work—good or bad—on the Internet results in "signals," pieces of information generated from performing any action over the wire. Analysts can use these signals to find relevant connections in threat infrastructure. RiskIQ strives to support analysts by removing the "noise" from these signals for highly contextualized and actionable threat intelligence. 

For example, in the above image, we define the starting point of the investigation as malware that's been seen in the wild. We identify an IP address within that malware and an SSL Certificate used to encrypt command and control traffic. That certificate includes a domain for which it was issued and an IP address that hosts it. Finally, that IP address has another domain connected to it via passive DNS with a unique tracking script. Because RiskIQ analyzes the code within every host it observes, an analyst can quickly surface that the same unique cookie is embedded within the host that the threat actor used in a related campaign. 

Below, we'll walk through another example in RiskIQ PassiveTotal. 

SSL Certs as a WHOIS Proxy

For many analysts, WHOIS information has been a critical element in their investigation. Still, security teams who subscribe to using more data sets know the value of forming chains using the technique described above and can make meaningful connections that can help you draw the same as, or even better, conclusions than WHOIS. SSL certs can be a useful substitute for WHOIS. 

An SSL certificate’s facets, common name, organization name, serial number, and SHA1 can help determine the same type of relationship and enable linking domains and IP addresses the same way WHOIS did in the past.

Using SSL certificates can allow a domain or IP address to be infrastructure chained to other IPs and domains. Here are the steps:

1. Examining the WHOIS information on the domain cms[.]letzplayagame[.]com inside of PassiveTotal: 

There is no information on which to pivot that an analyst can use to search for other domains owned by the same individual or organization.

However, the ‘Analyst Insights’ tab at the top of the screen shows this domain has been blacklisted. CrowdStrike has identified that it’s related to RAT and CobaltStrike criminal activity. By examining the IP addresses, we can find the associated SSL certificates and see if they correlate to other domains and IP addresses.

2. Clicking on the resolutions tab, you can see two IP addresses associated with this domain:

3. Clicking on the IP address 102[.]129[.]224[.]148, we see two SSL certificates associated with the IP address and domain name: 

Now, we click on Facet Organization Name, “Asphyxiation Server.”  

According to Digicert best practices a “Common Name" is the fully qualified domain name used for DNS lookups of your server (such as www.mydomain.com). Browsers use this information to identify your website. The Organization Name (corporation, limited partnership, university, or government agency) must be registered with some authority at the national, state, or city level. Use the legal name under which your organization is registered. Do not abbreviate or use any of these symbols:! @ # $ % ^ * ( ) ~ ? > < / \.

4. We pivot on our SSL certificate data set, and a total of four SSL certificates are listed with the same organization name, "Asphyxiation Service." Next, we expand the second SSL certificate:

We see two IP addresses, and, associated with the certificate and a different common name, taintakoo[.]com. The IP address is associated with four additional domains. CrowdStrike reports that the IP address is related to RAT and Cobalt Strike criminal activity:

We see a similar naming convention with letzplayagame[.]com subdomain of cms[.]tanitakoo[.]com. Clicking on the certificates tab, we see five SSL certificates listed:

Examining the certificate reveals two new domains associates with this IP address:

streamer[.]local, s10[.]wisp[.]cat.

As we can see, with the adoption of GDPR and the loss of infrastructure chaining with WHOIS data facets, SSL certificates can be an alternative to determine relationships and chain-related infrastructure together.

More Relevant Data, Better Investigations

More comprehensive and relevant data ultimately results in more relevant connections by surfacing relevant artifacts for validation. Our security SaaS platform taps into its global Internet Intelligence graph, and our global sensor network continuously extracts, analyzes, and assembles Internet data to define its identity and composition. These systems fingerprint each component, connection, service, IP-connected device, and other infrastructure to understand how threat actors fit within it, leaving even advanced, well-funded APTs nowhere to hide.  

These data sets can make embedded-code level connections across the Internet, starting from a single artifact connected to the global Internet’s infrastructure. It’s comforting to know that security analysts are in a position to mitigate the harm of deprecated WHOIS contact information through RiskIQ's platform to prevent, detect and respond to cyberthreats.

Join the RiskIQ Community and Supercharge your Investigations

For more than a decade, RiskIQ has been crawling and absorbing the Internet to enable customers to enable defenders to protect their organizations and accelerate their investigations. Last August, RiskIQ enhanced these capabilities, announcing its new Threat Intelligence Portal with a feed of OSINT articles dynamically linked to its core and derived data sets powered by RiskIQ Labs for actionable, contextualized threat intelligence in near real-time.

For those with a legitimate need to leverage threat intelligence to protect your attack surface, we invite you to join RiskIQ's community to get started. If you need direct, high-volume access to RiskIQ's observation-based platform to quickly identify and unmask threat markers and indicators at-scale across the Internet, check out RiskIQ's URL Security Intelligence

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor