As analysts, one of the biggest challenges in dealing with malicious actors is maintaining insight into their operations. It's nearly impossible to know when an actor may decide to change their infrastructure and even more difficult for us to keep tabs on every domain or IP address they control. But what if you could get alerted to those changes automatically? Starting today, PassiveTotal users can now monitor infrastructure of interest and receive alerts when we observe a change.
Leveraging the datasets from RiskIQ, our monitoring framework will inspect for differences in DNS resolutions, data records and infrastructure associations. With the first release of this framework, we added support for the following datasets:
- Passive DNS
- SSL Certificates
- Open Source Intelligence
- RiskIQ’s Blacklist
By utilizing these monitors, analysts can automate a critical portion of their workflow. Instead of constantly checking for changes in infrastructure, or worse, missing them altogether, they'll now be notified both in email and the PassiveTotal platform. These alerts are also available through our API, allowing users to create automated responses within their organization.
Setting a Monitor
Enabling monitors in your account is simple - every domain and IP entity page includes a eye icon that allows an analysts to quickly toggle this alerting functionality on and off. Once a monitor is set, the PassiveTotal system will use that state as the baseline for all future alerting and if something changes in our datasets, you will be notified of this change.
PassiveTotal now provides its users with a daily email digest outlining the specific changes that occur for each entity an analyst is monitoring. The digest includes a summary in the email and CSV attachments for each data set with key information about what changed.
Additionally, analysts can log into the monitoring section of the platform to receive a more detailed view of alerting for all entities monitored.
Clicking on each of the entities provides the analysts with a summary view of the indicator they are monitoring and the ability to search through their alerts by day and data type.
The alert summary lets an analysts know how many datasets were alerted on in a given day, the days since this indicator last alerted in the PassiveTotal system and the number of previous alerts seen for a given indicator across our datasets.
Monitors in Action
I’m currently monitoring a large mix of domains and IP addresses in my PassiveTotal account, one of which alerted last week - 18.104.22.168. This IP address is associated with Nettraveler activity based on a Palo Alto Networks report and was something I hadn't planned to revisit since I moved on to other research.
The picture of the alert above shows that PassiveTotal had identified a new domain, www.interfaxru.com, resolving to that IP address.
Clicking the value allows me to instantly begin investigating the new domain which appears to have a single malware connection. Digging around a bit more, the domain in question looks to be typo-squatting the legitimate Russian news organization, Interfax, and is almost certainly being used in malicious campaigns.
Monitors as Force Multipliers
If I hadn't set a monitor on the particular Nettraveler IP address, it's very likely that I would have missed this new domain and the opportunity to conduct follow-on research. As a researcher, this isn't the end of the world, but for an organization, the consequences of missing new infrastructure may have a greater impact and could result in a compromise.
PassiveTotal monitors can act as a force multiplier for security teams by automatically notifying them to infrastructure changes. As we continue to add new data to our platform, we plan to work it directly into our monitoring framework. Doing so means more coverage, better alerts and less work for you, the analyst.