Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
In this exercise you will learn how to extract clues and investigate a threat actor or threat agent using information from an email. You have been given a compromised device. During your investigation, you isolated an email address as the source of the compromise. You are tasked with investigating the email address to gain more information about the threat actor.
Using your credentials, log in to passivetotal.org. In the discovery window, search for firstname.lastname@example.org. Now you can see all the domains that have been associated with the threat actor, email@example.com. You will notice that the red rows are alerting you to RiskIQ confirmed malicious search results.
Now let’s pivot off the first list of domains. Right click on the first entry, wada-arna.org and open it in a new tab. When we look at the results, we see that IP address 220.127.116.11 has been identified as suspicious. Please note that IP addresses are only marked as suspicious, because IP addresses can be associated with many domains over time.
Now let’s examine the open source intelligence by clicking on the OSINT tab; you will see that there are many results from different sources. Let’s filter the results to only show the source ThreatConnect. Now click on the link for the ThreatConnect source. Now we can see the open source intelligence linking this domain; wada.arna.org to Fancy Bear, a Russian threat actor. Now read the article to get more information about this threat actor.
We hope you enjoyed this video on how to investigate an email address to get more information about a threat actor. If you want to learn more about the products that RiskIQ sells, visit us on the web at www.riskiq.com. For sales inquiries, you can call us at 1-888-415-4447 or email us at firstname.lastname@example.org.