Ask the right question during your investigation
- What is the data telling you?
Domains – Ask the right questions
- When was the domain registered?
- When was the last time it was seen actively resolving?
- What IP address does it currently resolve to?
- Is it Dynamic DNS?
- Are there additional subdomains associated with the higher-level domain?
- Is this domain compromised?
- Does the domain connect to malware?
IP Addresses – Ask the right questions
- Is the address routable?
- What subnet is it part of?
- Is it a larger allocation?
- Is there an owner associated with the subnet?
- What AS is it part of?
- Is this a sinkhole?
- What geolocation is there?
- Does this IP address have malware associated with it?
WHOIS – Ask the right questions
- How old is the domain?
- Is the information privacy protected?
- Does any of the data appear to be unique?
- What name servers are used?
- Is there any history?
SSL Certificates – Ask the right questions
- Is there any unique data in the certificate?
- Is it self-signed?
- Is the certificate shared across many hosts?
- Has the certificate been revoked?
Host Pairs – Ask the right questions
- Have any of the connected artifacts been blacklisted?
- What is the source of the malware on this domain?
- Is this domain redirecting users to malicious content?
- Are resources pulling in CSS or images to set up infringement attacks?
- Where are users being redirected from/to?
- What type of redirection is taking place?
Trackers – Ask the right questions
- Are there other resources using the same analytics IDs?
- Are these resources associated with the organization, or are they attempting to conduct an infringement attack?
- Is there any overlap between trackers–are they shared with other websites?
- What are the types of trackers found within the web page
- What is the length of time for trackers
- What is the frequency of change for tracker values– do they come, go or remain?
Hashes – Ask the right questions
- Are the hashes collected associated with malware?
- How recently was this suspicious activity observed?
- Which vendors/ sources have observed malicious binaries?
DNS – Ask the right questions?
- What other pieces of infrastructure are directly related to the indicator I am querying?
- Is any of this infrastructure associated with suspicious or malicious behavior?
OSINT (Open Source Intelligence)?
- What information is available about this artifact?
- Is there any additional IOC I should be investigating?
- Are any of the IP addresses sinkhole addresses?
- Any new TTPs?
- Who is this threat actor?
- What is the age of the OSINT–published days, weeks, years ago?
Projects – Public & Private
- Are there any public projects associated with the searched artifact?
- Do the public projects have any other Indicators of Compromise (IOC).
- How did the public project investigation progress over time?
- Who are the people working on the public project investigation?
- What vulnerable infrastructure are you using?
- What unique web components is the threat actor using that can track them to other domains?
- Are any components marked as malicious?
- What is the number of web components identified?
- Are there any unique or strange technology not often seen?
- Are there any fake versions of specific technologies?
- What is the frequency of changes in web components–often or rarely done?
- Are there any suspicious libraries known to be abused?
- Are there any technologies with vulnerabilities associated with them?
- What other websites are issuing the same cookies?
- What other websites are tracking the same cookies?
- Does the cookie domain match your query?
- What is the number of cookies associated with the artifact?
- Are there unique cookie names or domains?
- What is the time periods associated with cookies?
- What is the frequency of new cookies or change in cookies?