SSL Certificates: Untapped Analyst Potential

Last week, we announced that PassiveTotal would be joining RiskIQ and debuted an updated version of the platform that brought access to new data sources and additional searching functionality. One feature we are most excited about is the expansion of our SSL certificate repository and the ability to pivot on any details inside of the certificate itself. To date, our certificate collection reaches back from present day to early 2013 and includes over 30 million unique certificates and billions of historic associations.

SSL certificates provide analysts with two primary means of making connections within PassiveTotal, pivoting off the information inside the record and using the historic data collection to identify overlap in infrastructure. To best illustrate the power of SSL certificates, we’ve included a couple examples below.

Linking via Certificate History

As mentioned in the introduction, PassiveTotal stores all certificate information, but also keeps a historic record of the collection. When making associations, we keep the IP address, SHA-1 and time period of the observation. The bi-product of this storage is the ability for us to derive a history of how an IP address made use of the SSL certificates over different periods of time.

Much like passive DNS, having that historic view over time for the SSL certificates unlocks a lot of potential in making connections. For example, imagine that a set of malicious actors have invested in an SSL certificate in order to support HTTPS for their command and control. Rather than buying a new certificate for every machine they own or compromise, they merely copy the certificate over to the host and continue operations. Having a historic record that identifies overlap by the certificate hash means it’s possible to identify infrastructure that may not have a WHOIS or DNS-based connection.

In the above example, we see a simple certificate history for 37.59.224.217. Right away, it’s clear that the two certificates identified as being associated with this IP address also associated with at least 19 other addresses. Additionally, we know that the first certificate was around for nearly a year before being replaced with a newer certificate that was only in use for a little over a month.

Clicking on one of the certificates kicks off a reverse SSL certificate search revealing all of the other IP addresses that also made use of this certificate. Pivoting into this new infrastructure reveals more cybercrime activity and thus serves as another connection point. What’s most notable about this connection method is that many of the domains pointing to the above IP addresses never overlapped or shared infrastructure. In other words, without SSL certificates, an analyst wouldn’t have found the connection using WHOIS or DNS data.

Linking via Record Content

When available, PassiveTotal will display the most recent SSL certificate associated with the IP address being queried in our convenient compact format. Similar to reverse WHOIS, users can click on any of the details within the record in order to discover any related certificates and thus more IP addresses.

In the above example, we can see the certificate details associated with 185.86.167.27. Just like a WHOIS record, there are a number of different features an analyst could use as a pivot point to find more related infrastructure. When evaluating what avenues to explore, it’s best to start with unique data in the record. In our example above, the most interesting lead to explore is the subject common name of “sdksk12k3k213.xyz”. It’s interesting to note that many other domains resolve to this IP address that would not match the certificate common name. Questions that begin to arise are, if the certificate issuing period aligns with the DNS data for that domain and what benefits other domains would get by supporting HTTPS.

Accessing Certificates

As with other data in PassiveTotal, we have made the certificate information available through our APIs and Maltego transforms. Included on the API documents page are several code examples and responses to access the certificate data.

If you are interested in accessing the data from Maltego, simply install the free set of transforms from Paterva’s transform hub and you are all set. Once in a Maltego graph, you can begin running SSL certificates using our custom entities.

One of the added benefits of Maltego is that you have access to all the other transforms like passive DNS and WHOIS information. It’s easy to go from a certificate hash to a set of IP addresses to a number of domains to WHOIS information and so on. Analysts can quickly build out a chart of connections, tag any relevant data and have it shared with their colleagues in the PassiveTotal platform.

Happy Connecting

By the end of this post, it should be clear that SSL certificates are an awesome new way to make connections within PassiveTotal. While it may not always reveal hidden infrastructure, it's yet another point to use when conducting research. Like other data points, it's best for analysts to review the details of a certficate before confirming a direct connection. It's very easy to identify certificates shared across hundreds of machines based on generic information or shared device certificates. In future posts, we will revive our Know Your Foe series and include an article on SSL certificates.