See it Live: How RiskIQ Host Pairs Confirm the Lazarus Group Attacks
Get vast internet data sets and advanced analytics to hunt digital threats and defend your company’s digital footprint.
Get RiskIQ Community Edition
Malvertising increased 132% in 2016… Download RiskIQ’s 2016 Malvertising Report to see a breakdown of how threat actor methods are trending.
Get the Report
RiskIQ Best Practices Forum – Get the Most Out of Your RiskIQ Investment
Join us in San Diego April 11-13.
What is threat infrastructure analysis? Understand the process and methodology that powers PassiveTotal. Save time and boost your analysis!
Threat Infrastructure Analysis is a research process that brings context to incidents and attack campaigns by identifying related entities through multiple datasets. Data sources like active/passive DNS, WHOIS, SSL certificates and other page-content attributes allow analysts to link together disparate resources to understand the full scale of an attack.
PassiveTotal has adopted this research process and collects all the necessary data into one single platform, so analysts can spend their time focusing on threats to their organizations and not data collection/processing. By incorporating Threat Infrastructure Analysis into PassiveTotal, we bring the following value to the analyst:
Threat Infrastructure Analysis translates into real-world value and allows smaller teams to do more with less. By bringing sourcing and enriching data into one format, PassiveTotal is able to save analysts 20 minutes per indicator analysis on average. Additionally, with PassiveTotal enterprise, analysts are able to seamlessly collaborate with each other to further reduce analysis time and instantly turn their research into actionable guidance for others on the team.
How does PassiveTotal enable more powerful threat infrastructure analysis? Take a look at how you can use PassiveTotal to investigate a suspicious domain on your network through one-click pivoting and asking the right questions about the results. Understand the process and methodology that powers PassiveTotal. Save time and boost your analysis!
PassiveTotal has adopted this research process and collects all the necessary data into one single platform, so analysts can spend their time focusing on threats to their organizations and not data collection/processing. To understand of how you might investigate a threat, check out the scenario below.
Network administrators have uncovered a suspicious HTTP traffic pattern egressing the corporate network. Connections are being made to www.trendmicro-update.org and you are tasked with identifying more details for a larger investigation. Operating under the assumption that we know nothing about this domain, let’s see what we can find using PassiveTotal.
Searching for the domain inside PassiveTotal reveals a lot of activity. Results are split up into different sections with the left being summary-based data and the right being more detailed information.
By aggregating over 12 different sources of DNS data, PassiveTotal can provide a comprehensive understanding of the domain’s activity. Using the summary pane on the left, we can identify that the domain has been active for nearly two years and has over 500 DNS records associated with it. Additionally, using community driven features, we know that the domain hasn’t been compromised and isn’t a dynamic DNS provider.
To simplify analysis and surface infrastructure patterns, PassiveTotal has developed a heatmap visual that plots the last 6 months of DNS data and includes relevant features. Without looking at the detailed data, it’s possible for an analyst to come to several conclusions about this domain.
Available for free to all users is the latest WHOIS record for the domain. Instead of displaying each section, PassiveTotal uses a custom process to merge the record down and highlight the unique data within the record. Each field within the record becomes a pivot point to find other domains that may also share some of the same WHOIS data.
Located below the heatmap is a table of derived DNS results that were collected from multiple sources located all over the world. When collecting results, PassiveTotal merges overlapping records and enriches all of the data with features an analyst would need to further understand the infrastructure.
From the heatmap, it’s clear that something interesting occurred on May 20th where the domain went from non-routable to routable. Hovering over the map reveals the IP address of “22.214.171.124”. Simply clicking this IP inside the DNS results causes a pivot over to a new data point for our investigation.
Similar to our previous view, we are able to identify all the domains that associated with the IP address. Taking what we learned, we can instantly glean the following:
Much like WHOIS records, SSL certificates provide a unique way of discovery potentially related infrastructure. PassiveTotal not only displays the current SSL certificate associated with IP addresses in a pivotable format, but has also built a history of certificate associations spanning several years.
What’s important to take away from this example is how quickly an analyst can focus their research on a domain that is otherwise unknown to them. Simply running a search, making a couple calculated clicks and noting conclusions could reveal a much larger threat than anticipated. For more details on performing threat infrastructure analysis, check out our training materials and “Know Your Foe” series.
What are common analysis pitfalls? Threat infrastructure analysis is full of dead ends and wrong turns. In our “Know Your Foe” series, we outline common pitfalls for certain datasets.
PassiveTotal makes discovering connections amongst data sets easy, but as an analyst, it’s not always clear what’s actually malicious and what’s not. To further complicate the process, some common mistakes can waste resources for the analyst. The founders of PassiveTotal addressed many of these issues in a blog series titled, “Know your Foe”. Below are the articles in the series:
Your analysts are wasting too much time sifting through giant data dumps and disparate threat intelligence feeds. Your adversary is constantly shifting tactics to evade detection and analysts are struggling to keep up. PassiveTotal speeds up analysis by mapping attack infrastructure, freeing up analysts to focus on threats.
What is Passive DNS? Learn more about passive DNS, how it’s collected, why it’s useful for analysts and the right questions to ask when performing an investigation.
Passive DNS is a system of record that stores DNS resolution data for a given location, record and time period. To best understand passive DNS, one must first understand how DNS works and its value to Internet users. One analogy for DNS is the contacts application on your mobile phone. Rather than remember your friend’s phone number, you simply assign the number to a contact name and use the name to place calls to that number.
DNS works like a contact application for the Internet. Instead of having to remember IP addresses for all the websites you wish to access, DNS makes them available using domain names which are arguably easier to remember and less likely to change.
For example, let’s take passivetotal.org. At the time of writing this page, if we query passivetotal.org, we will be returned back the IP address of 126.96.36.199. In DNS, this is known as an “A” record and is one of many different record types including, but not limited to AAAA (IPv6), MX (mail), NS (nameserver), and TXT (text). Each record type is used for a different purpose and in theory, could be stored within a passive DNS database.
Passive DNS is having a historical repository of DNS data for a portion of the Internet.
— PassiveTotal Co-Founder Brandon Dixon
Passive DNS is having a historical repository of DNS data for a portion of the Internet.
— PassiveTotal Co-Founder Brandon Dixon
To collect this DNS information, a sensor is typically installed on the local network and set up to receive DNS requests as they happen. The sensor will only record DNS traffic that occurs on the local network, and not for the entire Internet. However, programs such as RiskIQ’s DNSIQ allow organizations to install a sensor on their network that reports back to RiskIQ and in exchange, the organization gains access to all the passive DNS traffic inside the central repository.
So why do we need a database of DNS data? Doesn’t DNS keep track of changes? Yes and no. DNS records can and will change often, but there’s no centralized historical repository. Once a change has been made to a DNS record, it will propagate across the Internet and the previous record will be gone forever. Imagine you get a breach notification for your network. Listed in the notification is a domain name and time period. The first logical question may be to ask what IP address that domain was pointing to at the time of the breach and if any other domains were pointing there too. Without a historical repository, you wouldn’t be able to know all the domains pointing to that IP address.
Storing this data in a database gives analysts insight as to how a particular domain names changes over time and provides a way to identify other related domains and IP addresses. In the breach notification example, an analyst could take the domain, search for it within passive DNS and identify the history of IP addresses it resolved to over time. Those IP addresses could then be queried to find more domains that may be related to the larger attack.
Historical repository of domains and IP addresses that could show overlap between values
Provides a method to get second order domains and IP addresses that may be related to your original query
Identifies subdomains associated with a particular query potentially revealing target details or more suspicious infrastructure
What is WHOIS? Learn more about WHOIS, why it’s useful for analysts and the right questions to ask when performing an investigation.
Thousands of times a day, domains are bought and/or transferred between individuals. This process is easy and only takes a few minutes and roughly $7 depending on the registrar provider. Beyond payment details, you must provide additional personal information, some of which gets stored as part of a WHOIS record once the domain has been setup.
WHOIS is a protocol that allows anyone to query for information about a domain, IP address, or subnet. One of the most common functions for WHOIS in threat infrastructure research is to identify or connect disparate entities based on unique data shared within WHOIS records. If you were reading carefully or have ever purchased a domain yourself, you may have noticed that the content requested from the registrars is never verified. In fact, you could have put anything in the record (and a lot of people do) which would then be publicly available.
Each WHOIS record has a number of different sections, all of which could include different information. Commonly found sections include “registrar”, “registrant”, “administrator” and “technical” with each potentially corresponding to a different contact for the record. Often, this data is duplicated across sections, but in some cases, there may be slight discrepancies especially if someone entering the data made a mistake. When viewing WHOIS information within PassiveTotal, you will see a condensed record that de-duplicates any data and notates which part of the record it came from. This condensed record greatly speeds up the analyst workflow and avoids any overlooking of data.
What are SSL Certificates for connections? Identify how SSL Certificates can be used for better correlation and move beyond just protecting your data within the browser.
When browsing the web, SSL certificates are everywhere. You may only see them as the small locks inside of your browser bar, but beyond securing your data, certificates are a great way for analysts to connect disparate network infrastructure. Modern scanning techniques allow us to perform data requests against every node on the Internet in a matter of hours, so we can easily associate a certificate to the IP address hosting it on a regular basis.
Much like a WHOIS record, SSL certificates require user-supplied information to generate the final product. Aside from the domain the SSL certificate is being created for (unless self-signed), any additional information can be made up by the user. As analysts, where we see the most value from SSL certificates is not necessarily in the unique data someone may use when generating the certificate, but where it’s hosted.
To access an SSL certificate, it needs to be associated with a web server and exposed through a particular port (most often 443). Using mass Internet scans on a weekly basis, it’s possible to scan all IP addresses and obtain any certificate being hosted to build a historic repository of certificate data. Having a database of IP address to SSL certificate mappings provides analysts with a way to identify overlap in infrastructure.
To further illustrate this concept, imagine someone has setup a server with a self-signed SSL certificate. After several days, defenders become wise to their infrastructure and block the web server hosting malicious content. Instead of destroying all their hard work, the actor merely copies all the contents (including the SSL certificate) and places them on a new server. As an analyst, a connection can now be made using the unique SHA-1 value of the certificate to say that both web servers (one blocked, one unknown) are connected in some way.
What makes SSL certificates more valuable is that they can make connections that passive DNS or WHOIS data may miss. This means more ways of correlating potential malicious infrastructure and identifying potential operational security failures. PassiveTotal has collected over 30 million certificates from 2013 until present day and provides analyst with the tools to make correlations on certificate content and history.
How do analysts drive research? Learn more about active DNS, how it’s collected, why it’s useful for analysts and the right questions to ask when performing an investigation.
Ever find yourself coming across familiar looking infrastructure, but can’t remember where or why or when you saw it? More importantly, are you able to remember if it were good, bad or just a figment of your imagination? Yeah, we’ve been there too and that’s one of the primary reasons PassiveTotal included the ability for analysts to classify a domain or IP address within the platform.
When responding to incidents, client requests or what feels like a never-ending event queue, any time that can be saved is important. Classifications are an easy one-click solution that persists your knowledge, augments your future research and provides insight to others within your team. If you aren’t classifying your queries, maybe it’s time to take another look.
Now, you don’t need to remember if an indicator is malicious or not — just classify it. PassiveTotal allows users to classify a domain or IP address as malicious, suspicious, non-malicious or unknown. Simply clicking one of the radio buttons marks the item and preserves your classification, so that if you stumble across the same infrastructure in the future, you won’t have to guess its state. While it seems inconsequential, having your existing classification show up on a query means your workflow is not being disrupted which ultimately results in time saved.
Research has shown that our brains are capable of processing entire images in as little as 13 milliseconds. Think about that, entire images in less than a second; imagine how quickly it can process just a single row of color. Aside from providing a text version of classifications, we present them using visual cues, so that as you continue your research, it’s extremely clear that not only has something been classified, but also what particular value was chosen. To do this, we choose to represent each classification value as a particular color. Malicious values are highlighted red, suspicious as yellow, non-malicious as green and unknown as white. Hypothetically, if you use classifications, you’ll be able to process your existing research in less than a second. Pair that with existing knowledge, and there’s even more time saved.
If you are fortunate enough to work with a team, then you already know the challenges to keeping everyone in sync even if they are in the same location. Even worse, what happens when an analyst leaves the company? More often than not, when an analyst leaves, so does their knowledge. If your organization is using PassiveTotal Enterprise and our classifications, this is no longer an issue. Need to know what your co-worker is analyzing? Take a look at the teamstream to get a quick glimpse of what others are doing. Curious if someone in your organization already reviewed a particular domain? Just go run a query and look for the classification value. Working together happens seamlessly within PassiveTotal which means less time talking and more time searching.
With classifications, a single click or POST to our API takes your knowledge and instantly distills it into actionable feedback within PassiveTotal. In a field where time is precious, why wouldn’t you want to save more? Persisting your analysis back within PassiveTotal is guaranteed to improve your and your team’s workflow.
What is open source intelligence? Learn more about open source intelligence, how it’s made available, why it’s useful for analysts and the right questions to ask when performing an investigation.
Open source intelligence (OSINT) is data that can be found publically online and freely available for use inside your organization. This data is often produced by individuals or companies and is either given away for marketing purposes or just as a way to share research. While great content can easily be found online, it may not be a full replacement for paid intelligence services. Some OSINT may draw incorrect conclusions or could be missing significant analysis, so any data collected should be processed before applying within your organization.
There’s no shortage of papers or blogs detailing the threats that plague organizations today and those data sources are ripe with indicators of compromise. In many cases, these listings of indicators manifest themselves in static data feeds that are often fed into a rule generator or device capable of automated blocking. Given the potential for mistakes, we feel these feeds are best applied in the context of performing research.
PassiveTotal users are able to see OSINT data when querying within the platform in two ways: tags and a tab attributing those tag values back to the source of information. Additionally, OSINT data is available through the API in the form of tags on a particular domain or IP address. Those looking to research without the OSINT data can deactivate the source from within the API Associations page.
The addition of OSINT as another source within PassiveTotal not only provides additional context, but also augments the user’s research process. As pivots are made within PassiveTotal, users can instantly glean areas of interest based on what values are tagged and what those tags say. Analysts no longer need to worry about what was publically reported, since it’s always there as they research.
What is active DNS? Learn more about active DNS, how it’s collected, why it’s useful for analysts and the right questions to ask when performing an investigation.
A less commonly heard term in information security is “active DNS” unlike its counterpart, passive DNS. If you aren’t familiar with passive DNS, go take a look here before reading on. Active DNS matches passive DNS in every way except for how it’s collected. Unlike passive DNS, where someone on the monitored network segment needs to make a request for data, active DNS just forces data requests to happen.
One the greatest benefits to an active DNS approach is that you, the end user, can control how often lookups are completed and which DNS server to use when performing them. Having this capability unlocks the ability for anyone to collect data and derive their own historical view of a given domain or IP address.
Another benefit to active DNS is the ability to brute force or come up with a list of frequently used subdomains to figure out if any of them are resolving. This process is fast and can be invaluable in providing additional data points that may have largely gone undiscovered had the request not been made naturally.
It’s worth noting that while active DNS collection has numerous benefits, it also has some significant drawbacks. Mainly, as requests are made to a given resource, it’s plausible that those running the infrastructure could be recording your queries and identify that you are aware of their servers. Wise operators may decide to block your addresses, try to infect you or make changes to their infrastructure (abandoning domains, registering new ones, changing IP addresses) that could leave you in the dark.