SSL Certificates

SSL certificates are cryptographically generated files used to provide an encrypted channel between a client and a server. Delegated authorities are in charge of validating organization details, issuing the certificates and maintaining the health for the certificates they issued. SSL certificates are most often associated with publicly facing websites and for them to function, need to be accessible via a routable internet address.

Beyond securing your data, certificates are a great way for analysts to connect disparate malicious network infrastructure through identifying overlapping usage of IP addresses. Actors often use the same certificate across multiple attack campaigns to encrypt command and control communication or to make a malicious website look legitimate.

What to Look For

 

  • Identifies additional infrastructure based on a shared certificate or infrastructure that was used to host the certificate
  • May identify connections where WHOIS or DNS data come up with nothing
  • Data within the certificate may overlap with other certificates revealing more infrastructure

Questions to Ask

 

  1. Is the SSL certificate valid (i.e. not expired, not self-signed) and issued by a reputable provider?
  2. Does the SSL certificate belong to a content provider or content distribution network?
  3. Does any of the user-supplied data in the certificate appear unique?
  4. Do any of the details in the certificate reveal any WHOIS or passive DNS leads?
  5. Has the certificate been hosted on more than one IP address or has it been moved from or shared between multiple servers?