OSINT-Colored Glasses

If you spend enough time in the field, you slowly start to forget what’s common-knowledge versus what you pick up in the trenches or the day-to-day. Information security is no exception to this rule, and yet it’s so easy to forget, even when creating a product for analysts. As you login to the platform or use the API, it’s likely that you’ll now see a couple tags you haven’t added. Tags like “phishtank” or “blocklist” or even “exploit kit” may now show up alongside your own personal markings. The source of this data is what we all have access to, yet commonly forget to harvest properly and that’s open source intelligence (OSINT).

For a long time, Steve and I have used PassiveTotal with this sense of understanding threat groups and their methodologies. Seeing a domain pattern or email address would trigger previous memories of writing long reports on specific threats that instantly told us what we were querying for was malicious. During this process, we forgot that others didn’t have this same body of knowledge and that to them, an email address was just an email address and that the DNS data could show a pattern, but it didn’t mean it was bad.

In making threat infrastructure analysis more approachable, we needed to add another layer of context on top of our output, so that the larger narrative around a threat could be understood by anyone, seasoned or brand-new. Open source intelligence is our first step in attempting to solve part of this problem and it’s awesome.

There’s no shortage of papers or blogs detailing the threats that plague organizations today and those data sources are ripe with indicators of compromise. In many cases, these listings of indicators manifest themselves in static data feeds that are often fed into a rule generator or device capable of automated blocking. Given the potential for mistakes, we feel these feeds are best applied in the context of performing research.

PassiveTotal users will now see this additional context when querying our platform in two ways, tags and a tab attributing those tag values back to the source of information. Additionally, this data will be available through the API without any needed changes to your code or client. We recognize some users may not want to see this information all the time, so the OSINT source can easily be shut off by clicking “deactivate” in the API associations menu.

The addition of OSINT into PassiveTotal is certainly not a ground-breaking concept, but now having seen it in action, it’s hard to believe it wasn’t there before. In the continuing months, we will continue to bring new sources of data into the platform to augment the research process. If you feel like we missed some data, let us know and send feedback to feedback@passivetotal.org.