Infrastructure chaining leverages the relationships between highly-connected datasets to build out an investigation. This process is the core of Threat Infrastructure Analysis and allows organizations to surface new connections, group similar attack activity and substantiate assumptions during incident response. In this blog, we will focus on infrastructure chaining centered around SSL Certificates and how this data set complements traditional sources for infrastructure analysis.
Analysts can use certificate hashes and facets to conduct investigations and discover
Earlier this morning, Eyal from Clearsky Cyber Security published a paper on "Operation DustySky", a set of targeted campaigns attributed back to the Gaza Cybergang. When working with Clearsky, we observed some interesting details and overlap that didn't quite fit in the paper, so we wanted to publish them here.
We found this IP address to be interesting due to the SSL certificate, mix of dynamic DNS and registered domains and
Ever find yourself coming across familiar looking infrastructure, but can't remember where or why or when you saw it? More importantly, are you able to remember if it were good, bad or just a figment of your imagination? Yeah, we've been there too and that's one of the primary reasons PassiveTotal included the ability for analysts to classify a domain or IP address within the platform.
When responding to incidents, client requests or what feels
Last week we announced the addition of a new, free data source inside of PassiveTotal, Open Source Intelligence (OSINT). The source has already paid dividends in saving us time and helping add more context, but it wasn’t until last night when reviewing RSA’s GlassRAT report that it really sunk in how much this simple overlay could augment the analyst workflow.
Whenever we observe a new report or blog post with indicators, we make