Threat research and incident response can be a lot like diving into a rabbit hole; some days it’s easy to start with one lead and quickly identify ten more that each take up hours of research time. The constantly evolving landscape forces analysts to bounce from one intrusion to the next, digging in deep for several weeks or sometimes just a few hours, then moving on to the next fire in an attempt to stay ahead of the attackers. In this type of rapidly changing threat environment, it can often be hard to remember critical pieces of information associated to a specific threat group you were researching six months ago or even six days ago.
In an attempt to address this gap, Brandon and I have come up with "analyst assist" - threat infrastructure analysis signatures, which can be deployed inside of your PassiveTotal enterprise account. These signatures, based on regular expressions, allow an analyst to automate certain functions within the platform by picking specific fields to inspect while performing research. Using analyst assist, users can classify, alert, or tag entities based on a continually expanding set of fields. For the release of this feature, we have included networks, AS name, domains, and multiple parts of WHOIS and SSL certificate records as fields users can write signatures against. Below we outline a few examples of how we currently use these signatures in our own research.
WHOIS data can be a great resource in finding new or existing domains registered by intrusion sets with poor operational security. Using signatures deployed through analyst assist and the Parsed WHOIS data provided by our partner, DomainTools, users can quickly triage and automate the discovery and tagging of domains by keying in on specific details like the registrant email or the registrant name. For example, the signature below will automatically tag any domain with “Malicious_Registrant” if it were registered using the email address, “46313@qq[.]com”. Simply viewing the domain will cause the tag to automatically appear therefore informing the user of the finding.
Keeping a list of registrant emails or known suspicious WHOIS details? Analyst assist allows you to associate a number of regular expression values with one common action. We see this process as drastically speeding up analysis and automating a lot of the benefits WHOIS data provides.
Analysts can use signatures to monitor for certificates of interest as well. Using the signature below, we are able to automatically tag certificates based off of specific fields. In this example, we are tagging any IP address with “KnownBadCert” based off the SSL certificate common name field matching “www.lanxess-lab.com”.
Similar to WHOIS fields, we offer a wide range of SSL certificate values that can be exposed to signatures.
While not completely threat related, analyst assist signatures can also be used to monitor for brand infringing domains or company-based subdomains often used by actors when registering command and control infrastructure. The signature below monitors for any domain that contains the words “passivetotal” and sends an alert to the registered account.
Summary notification data will display on the account overview page when the user logs in, but can also be accessed directly, and with more detail, by using the notifications view.
We view analyst assist as yet another way to help speed up the analysis process and ensure the spread of knowledge occurs when doing threat research. This service is currently available for any PassiveTotal enterprise customers or enterprise trial members under the monitor settings. Haven’t tested our enterprise services yet? Consider requesting a free trial by filling out the form on the enterprise page. Also, We are constantly looking for more fields to expose for existing data, but also new data, so if you have ideas, please let us know. Send any feedback to us directly using email@example.com.