Subscribe
  • Home
  • /
  • Malware
  • /
  • Obscure Technologies: Threat analyst using RiskIQ PassiveTotal , a day in the life

Obscure Technologies: Threat analyst using RiskIQ PassiveTotal , a day in the life

Brian Chung.


Johannesburg, 11 Aug 2017

John is a tier-two threat analyst on a SOC team that consists of five analysts. John, whose team works for a public-sector organisation, uses RiskIQ PassiveTotal daily to aid his investigations of indicators of compromise (IOCs) with minimal false positives during incident response.

Fig-1 WHOIS info inside DomainTools.
Fig-1 WHOIS info inside DomainTools.

The team leverages the relationships between the highly connected data collected by RiskIQ inside the RiskIQ PassiveTotal platform, pivoting on its unique data sets to surface new connections, group similar attack activity, and substantiate assumptions for each IOC. However, John's team did not always use RiskIQ PassiveTotal.

Fig-2 DNS lookup inside Mnemonic.
Fig-2 DNS lookup inside Mnemonic.

Once upon a time, they used a manual, highly segmented workflow comprised of a cocktail of different tools. According to John, below is an example of what a typical incident response might have looked like for him in the pre-PassiveTotal days. We will use an IP from a recent event in which the Lazarus Group attacked Polish banking establishments as the example.

The IP 109[.]164[.]247[.]169 is flagged through IDS.

Fig-3 Various OSINT tools.
Fig-3 Various OSINT tools.

1. John logs into Domain Tools for IP WHOIS lookup, which provides WHOIS information such as the resolving host, WHOIS history, contract e-mails, and more:
2. In a separate tab, he opens Mnemonic for Passive DNS lookup, which pulls in domains resolving to the suspect IP:
3. To see if there is any open source intelligence on the IP, he opens several tabs to search multiple sources, such as Phishtank, FireEye blog, Facebook, threat exchange, and more:
4. Next, he opens up a new tab to check the domains he found in Mnemonic against hashes in VirusTotal:

Fig-4 Hashes inside VirusTotal.
Fig-4 Hashes inside VirusTotal.

Through these steps, John was able to gather a good deal of knowledge about this IP - WHOIS information, passive DNS, OSINT, and hashes. If his initial research uncovers something interesting, John could spend more time on that area to dive deeper. Doing investigations this way can easily take anywhere from 10-15 minutes each, with up to six different sources.

Fig-5 Querying the IP combines all six sources in the old method into one.
Fig-5 Querying the IP combines all six sources in the old method into one.

Now, let's take a look at what the same investigation would look like today, now that John and his team uses RiskIQ PassiveTotal.

The IP 109[.]164[.]247[.]169 is flagged through IDS.

Fig-6 Querying DNS data in RiskIQ PassiveTotal.
Fig-6 Querying DNS data in RiskIQ PassiveTotal.

1. John takes the flagged IP and queries it inside the RiskIQ PassiveTotal platform. Immediately, the WHOIS and passive DNS data are presented in a visual heat map.
2. Utilising the heatmap, John can pinpoint and narrow down his investigation based on unique changes. All historical IP/Domain resolutions are displayed under resolutions allowing John to quickly observe all historical resolutions in a single view:
3. John pivots from the domain under the 'resolutions' tab, which automatically will run a query on 'sap[.]misapor[.]ch':

Fig-7 Data shows that threat analysts who use RiskIQ PassiveTotal save time.
Fig-7 Data shows that threat analysts who use RiskIQ PassiveTotal save time.

The RiskIQ PassiveTotal interface displays detailed contextual information such as OSINT, RiskIQ proprietary BlackList, Malware and more, allowing John to stay inside of the platform to conduct his investigation further. The entire process is seamless and took less than a few minutes without ever having to leave the platform.

As seen above, by using RiskIQ PassiveTotal the time spent on this investigation was cut by more than half. On top of time savings, RiskIQ PassiveTotal aggregates data into one single view, so threat analysts like John no longer need to visit or subscribe to multiple sources.

Fig-8 Data shows that threat analysts enjoy RiskIQ PassiveTotal's comprehensive data.
Fig-8 Data shows that threat analysts enjoy RiskIQ PassiveTotal's comprehensive data.

In addition to the datasets presented above, RiskIQ PassiveTotal has many unique datasets derived from data captured during our virtual user crawling sessions. For example, the Host Pairs dataset is generated when RiskIQ crawling infrastructure identifies references or redirections on a page to other Web sites. By confirming that the attack originated from external sources, Host Pairs played a huge role in the investigation of Polish Bank hack when it showed that the malicious domain (sap[.]misapor[.]ch) was linked to a legitimate Polish bank via an iframe.

Fig-9 The unique Host Pairs data set shows iframes pointing to external sources.
Fig-9 The unique Host Pairs data set shows iframes pointing to external sources.

Below, you can see RiskIQ crawlers observed the KNF Web site pointing to two malicious URLS via an iframe:

[http]://sap.misapor.ch/vishop/view.jsp?pagenum=1
And [https]://www.eye-watch.in/design/fancybox/Pnf.action

Share

RiskIQ PassiveTotal for Threat Analysts

RiskIQ PassiveTotal's ever-expanding data provides new context to adversaries' infrastructure and now includes deeper monitoring capabilities. Security teams can be alerted in real-time to changes in DNS and domain resolution, WHOIS registration, and the appearance of other new keywords of interest. The latest release also includes a project workflow to quickly organise and group-related threat infrastructure components found during investigations. This allows threat analysts and research teams to be more efficient and agile in their investigations. To try it for yourself, sign up for RiskIQ Community Today.

Editorial contacts

Surita Schoeman
Obscure Technologies
surita.schoeman@obscuretech.net