A couple months ago, we posted an entry outlining one of our newer datasets, SSL certificates. In that post, we focused on the cyber espionage group, turla, which is said to be associated with Russian government operations. Using self-signed SSL certificate fingerprints, we were able to correlate a number of IP addresses belonging to various satellite providers and unearth an extensive network of command and control domains.
One of the most powerful features inside of PassiveTotal is the ability to monitor infrastructure and receive alerts when something changes. We’ve covered how to deploy monitors in previous postings and videos, but never showed how they could be used for follow-up actions. By combining the notifications and monitors API from the account endpoints, it’s easy to create an automated system to block or publish threat data.
As analysts, one of the biggest challenges in dealing with malicious actors is maintaining insight into their operations. It's nearly impossible to know when an actor may decide to change their infrastructure and even more difficult for us to keep tabs on every domain or IP address they control. But what if you could get alerted to those changes automatically? Starting today, PassiveTotal users can now monitor infrastructure of interest and receive alerts when we