Executive Guardian
Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
Case Study
Civil society groups such as journalists, humanitarians, and activists face the same level of threat from targeted digital espionage as major companies and governments but have fewer resources to defend themselves. The Citizen Lab, an interdisciplinary research group based at the Munk School of Global Affairs, University of Toronto, is their guardian.
The Citizen Lab researches the intersection of information security, human rights, and global affairs. A core part of their mission is investigating the prevalence and impact of digital espionage operations against civil society groups and providing communities with information that they can use to raise awareness and improve their defenses.
Often, threat actors that target civil society groups also go after well-resourced governments and businesses and are equipped accordingly. But their civil society victims are usually limited in their capacity to identify and mitigate threats, even when the consequences can mean imprisonment or physical harm.
When the Citizen Lab begins their investigations, these targets are often at serious risk, and in many cases, besieged by threat actors working for the governments and regimes under which they live. Without these researchers, people like renowned UAE human rights defender, Ahmed Mansoor, whose iPhone was attacked via remote jailbreak using a string of zero-days, or the Latin American journalists targeted by an extensive phishing campaign linked to malware and fake news sites, would have little to no recourse.
RiskIQ PassiveTotal® helps the Citizen Lab enrich its investigations of targeted espionage operations by mapping their infrastructure and monitoring how it changes over time. One of the first steps Citizen Lab researchers take when examining a new sample of malware or phishing is quickly looking for related infrastructure inside PassiveTotal’s web interface and Maltego Transforms, which can provide unmatched insight into the behavior of the threat actors they’re tracking.
Infrastructure tracking enriched by PassiveTotal also shows researchers how threat actor tactics change over time. For example, finding repurposed parts of known malware command and control infrastructure in phishing attacks indicates a shift in tactics from targeted malware campaigns to conventional phishing. This intelligence would then help the Citizen Lab recommend defensive measures such as using two-factor authentication and avoiding sending and receiving file attachments by email.
Analysts at the Citizen Lab have been using PassiveTotal in investigations since the very first beta of the platform in 2014. Tools like PassiveTotal help us punch above our weight. Its ease of use and ongoing evolution of its features make it an excellent tool for our research, and a benchmark that we compare other options against.
With PassiveTotal, the Citizen Lab linked the intrusion attempt on Ahmed Mansoor to infrastructure operated by NSO Group, a vendor of commercial spyware for governments. The investigation led to Apple releasing an out of band patch for IOS, as well as international media coverage of how some commercial surveillance products sold exclusively to governments are being used against civil society.
In the case of phishing emails targeting Latin American journalists, the researchers used PassiveTotal to connect the phishing infrastructure to both malware command and control servers, and to a pattern of fake news websites. This information helped them identify a threat actor and actively monitor its behavior.
Watch the Video
PassiveTotal in 60 Seconds
“We encourage all companies working with threat intelligence to think about ways they can help protect those fighting for human rights. Whether it’s donating licenses, empowering staff to volunteer, or just keeping an open mind about pro-bono initiatives, you’ll be helping keep democracy alive.” – John Scott-Railton, Senior Researcher, the Citizen Lab
Visit the Citizen Lab’s blog post for more about how their researchers use PassiveTotal to enrich the analysis of targeted threats against civil society, including images and links to their public projects.
