With the recent addition of RiskIQ internet scanning and web crawling data into the platform, I find myself leaning heavily on our enrichment data to guide my analysis. Digging into an investigation and sifting through mountains of data for clues to as who is behind an attack campaign and how large that campaign is can be exciting, but often times we just want quick answers. We want to know if the domain we are investigating is connected to known bad infrastructure and context to understand the scope of the attack.
With data sets such as host pairs and trackers, we now have increased visibility into attack campaigns we otherwise would have never seen, but we also have more data to sift through and limited time in which to make our assessments.
Host Pairs in Action
I recently found myself researching a malicious domain antivirus.safetynote.xyz with a significant amount of host pair associations. This domain was listed on the RiskIQ blacklist as being malicious and associated with phishing activity. In trying to understand the full attack profile, I started to investigate the domains parent and child domain pair relationships.
Reviewing some of the domains in the list above, I noticed a significant amount of .om domains that appeared to be typo squatting legitimate brands - this is usually a good indicator of maliciousness and made me want to investigate each individual domain relationship for additional suspicious activity.
I wanted immediate answers about this attack campaign and simple context about all the associated entities I was investigating. Naturally, this led me to our extensive maltego transform set that makes complete use of all the functions available in our API.
Leveraging Maltego and our host pairs transforms set, I was able to quickly pull domain associations onto a graph. From there I ran the PassiveTotal enrichment transform which pulls system tags, OSINT associations, and domain related information. I ended up with a lot of connections and a very large graph, but still lacked overall context about the attack campaign - the visual clutter was making it hard for me to properly interpret what I was looking at.
Machines to the Rescue
As we have discussed in a previous blog post, Maltego provides users with a powerful capability - to automate analysis using “machines”. Building off our previous work, we decided to expand our existing set of machines to include our new data sets and assist analysts dealing with data overload. The results are awesome - faster analysis and detailed context with the click of a button.
The first machine we developed pulls all of the parent host pairs and enriches them with PassiveTotal tags providing a summary of all known domains redirecting to our malicious phishing site.
Immediately after running this machine, we are able to see the full picture of all known parent domains that have redirected to antivirus.safetynote.xyz. Two of these entities, track.mcwtg400.com and 18.104.22.168, have connections to malware and all of the domains look less than reputable.
Next, we can run a machine that retrieves a comprehensive picture of all domains that RiskIQ has observed antivirus.safetynote.xyz redirecting to and again we get an easily consumable picture of activity. We see that there are more than 30 child domains, 3 of which have connections to malware and another - adobe.om - that is also listed on the RiskIQ blacklist as being associated with phishing activity. From here we could continue to build out host pair associations using our machines in order to grow our understanding of the entire attack surface of this campaign.
So Why Does this All Matter
The combination of the host pairs data set and PassiveTotal enrichment provides us with a powerful tool for understanding our adversaries infrastructure. The example used in this blog demonstrated how we could fuse all our data with Maltego machines in order to go from limited to complete visibility into an attack campaign. In this process we decreased discovery and analysis time from over an hour down to just a few minutes and in the process, we improved our organizations defensive posture immensely by allowing analysts to understand the full scope of an attack campaign and identify additional possible infection vectors.
But Wait There’s More!
We didn’t stop with just host pairs - we created enrichment machines for SSL certificate data and for Google Analytics Tracker IDs. We chose to focus on these repositories because the volume of data tends to be larger and the ability to quickly derive context in an investigation can be more difficult. Obviously, we are excited about the capabilities these types of machines can provide our user community and hope you are too. If you have other ideas of enrichment machines or this inspires you to build your own machines to aid investigations let us know at firstname.lastname@example.org we always appreciate input from the PassiveTotal community.