Paper: Wave your false flags! Deception tactics muddying attribution in targeted attacks

This is an 11 page white paper that goes through the current challenges faced by researchers to attribute cyber attacks.

It goes through the current techniques such as,

  • Timestamps
  • Strings, debug and metadata
  • Malware families, code reuse
  • Threat infrastructure used

It also present some of the most advance APT’s and their potential origin and techniques believed to have been used by them to thwart the attribution process by researches.

The most revealing conclusion is that cyber attribution is a difficult process that cannot ever legitimate a counter attack.


The right ingredients for Threat Hunting

Threat Hunting and training such as GCFA are proving to be beneficial to lower the internal detection and dwell time. Not long ago we were discussing the long time that was taking to do internal detection and average dwell time but this is currently changing.

Rob Lee and the SANS Institute in their GCFA update for this course are stating how they are starting to see some fruitful results as a result of Threat Hunting.

Internal discovery of a compromise is gaining momentum with an increase from 20% to nearly 50 % and therefore the dwell time is getting shorter thus reducing risk for organizations. The difference is driven by Threat Hunting and advance training such as GCFA.

Other important issues standing out from this update is SOC and DFIR skills as Rob explains are intimately related .


While the SOC detects adversary behavior, the DFIR observes and tracks the adversary behavior and the good news is that these functions do not need to be sitting on different teams. Indeed, it makes sense that the analysts are capable of pivoting from one role to the other in order to do a successful detection.

Threat Hunting is proactively changing the industry and also the standards needed for professionals to successfully strive in a threat hunting – detection capability.

The presentation also takes a high level approach introducing the last topics covered in the course and the last techniques seen in the wild. Even if you have not attended this training I still recommend you to watch this video since it will introduce topics that you can later research.


Book: Android Malware and Analysis by Ken Dunham.

I needed  to get an intro to Android Malware Analysis and some of the tools you can use for Analysis. This books is very easy to read and provides a good foundation to start doing Android Malware Analysis. It covers current malware landscape until 2014 an existing techniques and tools in static and dynamic analysis. I highly recommend this book and the tools in it if you are planning to start doing Android Malware Analysis.


Hunting down Threat Infrastructure (2, with PassiveTotal)

It’s been a while since I wrote the first post on Threat infrastructure and I believe it will be beneficial for you to first go through it, if you have not done it yet. This will set the context to understand the issues we are trying to solve here.

The first post explained how attackers are bypassing security controls and adding confusion to stay indefinitely within your network and evade detection using technologies such as DGA, Dynamics DNS and fast flux among others.

In this second post I want to focus on 2 important aspects to be able to fight back and hunt down your attacker. The first aspect we are going to discuss is what technology we have available today to be able to detect the evasion and confusion mechanisms used by attackers. In the second part of this post I will focus on one of the most innovative solutions available today in the market to disrupt and research threat infrastructure.

Starting with the technology we have available today we have to talk about Passive DNS. Passive DNS is a replication technique invented by Florian Weimer in 2004 where inter-server DNS messages are captured by sensors and forwarded to a collection point for analysis.

Recursive DNS servers work in such a way that when they do not have a resolution for the domain queried they forward that query to a root server and following referrals until they identify the authoritative server that know the answer. Then the query is sent to that authoritative server.


What is the value of Passive DNS?

Passive DNS is a extremely rich data set for threat investigators and analysts monitoring the security perimeter. Among all the clues it uncovers, I will only mention a few of them such as,

  • Allows near real time detection of DNS resolutions to malicious domains
  • Detection of new domains in internet, often involved in phishing campaigns and malicious activity
  • Detection of brand impersonation
  • Detection of attacks using techniques such as fast flux and DGA
  • Trace of an attacker activity in internet

To sum up, on a very basic level passive DNS allows the investigator to ascertain the IP addresses a domain is resolving to and the history of these resolutions. It also allows us to discover what domains have been seen in an IP address or range of IP’s.

I do not want to extend on passive DNS since it is fairly understandable and I am providing you with some useful resources for you to dig deeper into the subject.

The most dangerous game game: Hunting adversaries across the internet,–Hunting-Adversaries-Across-the-Internet–Kyle-Maxwell-Verisign-iDefense-and-Scott-Roberts-GitHub.pdf

Targeted take-downs: minimizing collateral damage using passive dns,

Practical use of passive dns: monitoring for e-crime investigations,

Using passive dns analysis to automatically detect malicious domains,

Moving into the second part of this article, I want to present a solution that having tried different passive DNS solutions, I believe is undoubtedly the best of the breed. This solution is PassiveTotal.

PassiveTotal is the leading threat infrastructure analysis platform, focused on seamlessly combining data sets and developing innovative solutions that allow analysts to make knowledgeable assessments of domains and IP addresses to quickly and efficiently defend their organizations from malicious actors.

This is their mantra, honestly is pretty accurate and their solution does exactly that. PassiveTotal was acquired by RiskIQ adding an additional solution to their already impressive set of Cyber solutions. An excellent decision looking at the type of problems RiskIQ solves today for its customers in the market.

Now, why this solution? I have tried several solution in the same space and certainly got disappointed with all of them. The main reasons are the following,

  • Most of them offer you raw data IP to domain correlation
  • Very old data sets, they do not update daily
  • No enrichment with other web data sets
  • Interfaces not human friendly and lack of correlation and context
  • Lack of domain monitoring capabilities

I use this solution very often to make judgment calls and it makes my life very easy, with 100% of certainty it will do the same for you whether you are sitting in your perimeter monitoring activity or in the endpoint analyzing a company intrusion or threat actor.

Let’s quickly see some of the benefits of using PassiveTotal, one of the first things you can appreciate as soon as you log into the solution is the clear interface and the heat map. The heat map it is very clear and a way of showing and offering the analyst a bird view of the domain, IP, email or SSL certificate being research. This will let you get a quick impression.



As you can see the domain above is some sort of suspicious? of course it its.


Other cool feature it is the monitoring option. Do you remember the first post when I explained how threat infrastructure moves around internet to avoid detection? well, this feature allows you to follow exactly these changes. It will send you a notification so you can follow in real time where you attacker’s threat infrastructure is moving to.

Let’s see some of the enrichment features,



The tags provide very rich information and then again on a bird view you can have a feeling of the threat you are dealing with. In this case we see a threat related to Exploit Kit and Crimeware, needless to say that the site only resolved to a routable IP once, isn’t it weird?Also the tag OSINT above will provide additional information related to the threat that have been mined using OSINT techniques. It is extremely useful as many time it provides additional information about the threat related to your investigation.

You need more enrichment?  look at the components, host pairs and hashes tags above.


The components tag provide a very detailed view of the infrastructure used by the attacker. This is especially useful with threat investigation, have you heard about TTP’s?


The host pairs tag provides you with all the relations between your target site and other sites in the internet. They can be a parent – child link or more complex relationships such as content, iframes etc, etc.  Below you have a case study to understand this feature.

There are more features however I will not get into all of them. Please, refer to their online manual,

What else stands out of this solution? you can basically pivot over any field, such as domains, IP’s, certificates, emails… etc, etc

Let’s see an example with the Whois,

This pivot shows all the sites registered by the same email address, valuable for your threat investigation? I bet it is.

Lastly, let’s have a quick look at the passive DNS sources. Where are they coming from?




From Domaintools to Virustotal, Emerging threats and always fresh RiskIQ sets. As you can see you will not run out of clues with all these data sets from different passive DNS networks.

The solution provides a lot more than what I have shown here however I just wanted to provide an overview. Despite today we can count on solutions such as this, I still see people working the old way, Virustotal for everything. Really? Content analysis sites throw at you a ton of false positives. I have seen Virustotal showing a site as safe just because it was not online, after checking passive DNS I noticed that the site was only online for a day. The threat was not active anymore of course since the site was not active for Virustotal that isn’t a threat but from the perspective of passive dns it was and it still is probably inside your organization.

If you are doing threat investigation, I believe the value is shown in this post. You can get a very accurate picture of your attackers footprint in internet .

To start analyzing threats beyond the tradition AV and to avoid being fooled by these evasion tehcniques you need to take some time and I highly recommend RiskIQ and PassiveTotal blogs. If you want to gain experience with these techniques I also recommend that you start assessing your threats more in detail and start asking yourself basic question such as,

  • How many IP’s are resolving today to that domain?
  • How many IP’s are resolving to that domain in the last 3 months?
  • Whois information?
  • Are there similarities with other previously seen threat infrastructure?
  • Do the IP’s fall in the space of one ISP and 1 or 2 ASN’s?
  • Do the IP’s fall in the space of different ASN’s across the world?


Why these questions?

  • Sites with good reputation do not tend to move IP’s frequently (not always but it is the norm)
  • Do we have legitimate registration information or is obfuscated?
  • Criminals are lazy humans and they tend to redirect, duplicate and copy  threat infrastructure. This can be seen in the host pairs tag when you query the domain
  • If the IP’s fall in the space of 1 or 2 ASN’s we are dealing with a domain that is possibly using dynamic DNS to evade IP blacklisting
  • If the IP’s fall in the space of different ASN’s across the world we are dealing with a domain that is possibly using DGA to evade domain blacklisting


If you are an analyst monitoring or investigating threats in your current role, this solution is a must because it provides a way to detect evasive nature of today’s threats. For intelligence teams it provides the most accurate picture of your attacker in internet and enrich other sources of information that you may be using. The solution also comes with an API.

I leave you here some useful links however I encourage you to visit as I mentioned before PassiveTotal and RiskIQ sites. They also have a youtube channel,

I recommend you to watch PassiveTotal Thursdays which are detailed sessions presenting the solution.

Additional Links and references,

Book: Incident Response & Computer Forensics 3rd edition

As part of the training I took this year, GCFA ( I was given this book together with the course. Thumbs up for the people at SANS again.

I came across this book, a lot before I attended my GCFA training however I never bought it, I believe I did not see benefits in it at the time. Today, I can say that this is a must have book  in IR and Forensics. It goes from defining the IR process and the common pitfalls and how to avoid them, to deep technical chapters covering threat hunting from the perspective of DFIR. The book is indeed very well built, covering hunting in the 3 different spheres we can hunt today which are network, endpoint and application.



The book is solid in the topics that it covers and the chapters that I believe are more interesting are:  ‘Investigating Windows Systems’, ‘Investigating Applications’ and ‘Malware Triage’.

These 3 chapters set this book apart from many other incident response books, all of them very solid in topics around incident response and tools but they fail to explain what the artefacts are to investigate in windows systems. This book contains an exhaustive list of artefacts plus memory forensics and file system.

As a bonus it also packs a full chapter on how to investigate Mac OS X systems. To sum up I only see benefits in paying the price for reading this book if you are into DFIR and threat hunting.




The top 10 windows logs event’s used to catch hackers

Very interesting presentation by Michael Gough from SecureWorks. It goes through some malware attack examples and the importance of the windows event id’s for their detection. Another must read.