A couple months ago, we posted an entry outlining one of our newer datasets, SSL certificates. In that post, we focused on the cyber espionage group, turla, which is said to be associated with Russian government operations. Using self-signed SSL certificate fingerprints, we were able to correlate a number of IP addresses belonging to various satellite providers and unearth an extensive network of command and control domains.
With the recent addition of RiskIQ internet scanning and web crawling data into the platform, I find myself leaning heavily on our enrichment data to guide my analysis. Digging into an investigation and sifting through mountains of data for clues to as who is behind an attack campaign and how large that campaign is can be exciting, but often times we just want quick answers. We want to know if the domain we are investigating
In our last blog post, we broke apart the RiskIQ web crawlers and outlined all the content they collect when browsing the Internet. This was helpful in understanding the data, but it didn’t really provide a good example of how we use this content to link to actor infrastructure. For this post, we are going to focus in on a criminal-based threat that often targets social media services and see how we could leverage
As analysts, we are used to the common logic of "if it's too good to be true, than it probably is", but every now and then, leads that fall into this category pan out. Steve and I have been investigating a set of infrastructure for over 9 months now and it's finally to a point where we feel confident in the communities response to action the threats involved appropriately. Our analysis shows at least seven
It’s hard to believe, but just nine months ago, we rolled out our first version of Hubot scripts using Slack as an example of how you could further your analysis. Back then, we were working with limited amounts of data and could only provide passive DNS. Today, we are in a much different place and felt it was time to really build out our bot capabilities. Released on our Github repository and the NPM