Hunting down Threat Infrastructure (2, with PassiveTotal)

It’s been a while since I wrote the first post on Threat infrastructure and I believe it will be beneficial for you to first go through it, if you have not done it yet. This will set the context to understand the issues we are trying to solve here.

The first post explained how attackers are bypassing security controls and adding confusion to stay indefinitely within your network and evade detection using technologies such as DGA, Dynamics DNS and fast flux among others.

In this second post I want to focus on 2 important aspects to be able to fight back and hunt down your attacker. The first aspect we are going to discuss is what technology we have available today to be able to detect the evasion and confusion mechanisms used by attackers. In the second part of this post I will focus on one of the most innovative solutions available today in the market to disrupt and research threat infrastructure.

Starting with the technology we have available today we have to talk about Passive DNS. Passive DNS is a replication technique invented by Florian Weimer in 2004 where inter-server DNS messages are captured by sensors and forwarded to a collection point for analysis.

Recursive DNS servers work in such a way that when they do not have a resolution for the domain queried they forward that query to a root server and following referrals until they identify the authoritative server that know the answer. Then the query is sent to that authoritative server.

rdns

What is the value of Passive DNS?

Passive DNS is a extremely rich data set for threat investigators and analysts monitoring the security perimeter. Among all the clues it uncovers, I will only mention a few of them such as,

  • Allows near real time detection of DNS resolutions to malicious domains
  • Detection of new domains in internet, often involved in phishing campaigns and malicious activity
  • Detection of brand impersonation
  • Detection of attacks using techniques such as fast flux and DGA
  • Trace of an attacker activity in internet

To sum up, on a very basic level passive DNS allows the investigator to ascertain the IP addresses a domain is resolving to and the history of these resolutions. It also allows us to discover what domains have been seen in an IP address or range of IP’s.

I do not want to extend on passive DNS since it is fairly understandable and I am providing you with some useful resources for you to dig deeper into the subject.

The most dangerous game game: Hunting adversaries across the internet,

https://digital-forensics.sans.org/summit-archives/cti2015/The-Most-Dangerous-Game–Hunting-Adversaries-Across-the-Internet–Kyle-Maxwell-Verisign-iDefense-and-Scott-Roberts-GitHub.pdf

Targeted take-downs: minimizing collateral damage using passive dns,

https://www.blackhat.com/docs/us-15/materials/us-15-Vixie-Targeted-Takedowns-Minimizing-Collateral-Damage-Using-Passive-DNS.pdf

Practical use of passive dns: monitoring for e-crime investigations,

http://www.npl.co.uk/upload/pdf/satin2011-pres-rasmussen.pdf

Using passive dns analysis to automatically detect malicious domains,

https://www.lastline.com/papers/dns.pdf

Moving into the second part of this article, I want to present a solution that having tried different passive DNS solutions, I believe is undoubtedly the best of the breed. This solution is PassiveTotal.

PassiveTotal is the leading threat infrastructure analysis platform, focused on seamlessly combining data sets and developing innovative solutions that allow analysts to make knowledgeable assessments of domains and IP addresses to quickly and efficiently defend their organizations from malicious actors.

This is their mantra, honestly is pretty accurate and their solution does exactly that. PassiveTotal was acquired by RiskIQ adding an additional solution to their already impressive set of Cyber solutions. An excellent decision looking at the type of problems RiskIQ solves today for its customers in the market.

Now, why this solution? I have tried several solution in the same space and certainly got disappointed with all of them. The main reasons are the following,

  • Most of them offer you raw data IP to domain correlation
  • Very old data sets, they do not update daily
  • No enrichment with other web data sets
  • Interfaces not human friendly and lack of correlation and context
  • Lack of domain monitoring capabilities

I use this solution very often to make judgment calls and it makes my life very easy, with 100% of certainty it will do the same for you whether you are sitting in your perimeter monitoring activity or in the endpoint analyzing a company intrusion or threat actor.

Let’s quickly see some of the benefits of using PassiveTotal, one of the first things you can appreciate as soon as you log into the solution is the clear interface and the heat map. The heat map it is very clear and a way of showing and offering the analyst a bird view of the domain, IP, email or SSL certificate being research. This will let you get a quick impression.

1rq

 

As you can see the domain above is some sort of suspicious? of course it its.

2rq

Other cool feature it is the monitoring option. Do you remember the first post when I explained how threat infrastructure moves around internet to avoid detection? well, this feature allows you to follow exactly these changes. It will send you a notification so you can follow in real time where you attacker’s threat infrastructure is moving to.

Let’s see some of the enrichment features,

3rq

 

The tags provide very rich information and then again on a bird view you can have a feeling of the threat you are dealing with. In this case we see a threat related to Exploit Kit and Crimeware, needless to say that the site only resolved to a routable IP once, isn’t it weird?Also the tag OSINT above will provide additional information related to the threat that have been mined using OSINT techniques. It is extremely useful as many time it provides additional information about the threat related to your investigation.

You need more enrichment?  look at the components, host pairs and hashes tags above.

4pr

The components tag provide a very detailed view of the infrastructure used by the attacker. This is especially useful with threat investigation, have you heard about TTP’s?

5pr

The host pairs tag provides you with all the relations between your target site and other sites in the internet. They can be a parent – child link or more complex relationships such as content, iframes etc, etc.  Below you have a case study to understand this feature.

http://blog.passivetotal.org/derived-host-pairs-from-web-crawling/

There are more features however I will not get into all of them. Please, refer to their online manual,

https://www.gitbook.com/book/passivetotal/passivetotal-manual/details

What else stands out of this solution? you can basically pivot over any field, such as domains, IP’s, certificates, emails… etc, etc

Let’s see an example with the Whois,

6.pr.jpg

This pivot shows all the sites registered by the same email address, valuable for your threat investigation? I bet it is.

Lastly, let’s have a quick look at the passive DNS sources. Where are they coming from?

 

10rq

 

From Domaintools to Virustotal, Emerging threats and always fresh RiskIQ sets. As you can see you will not run out of clues with all these data sets from different passive DNS networks.

The solution provides a lot more than what I have shown here however I just wanted to provide an overview. Despite today we can count on solutions such as this, I still see people working the old way, Virustotal for everything. Really? Content analysis sites throw at you a ton of false positives. I have seen Virustotal showing a site as safe just because it was not online, after checking passive DNS I noticed that the site was only online for a day. The threat was not active anymore of course since the site was not active for Virustotal that isn’t a threat but from the perspective of passive dns it was and it still is probably inside your organization.

If you are doing threat investigation, I believe the value is shown in this post. You can get a very accurate picture of your attackers footprint in internet .

To start analyzing threats beyond the tradition AV and to avoid being fooled by these evasion tehcniques you need to take some time and I highly recommend RiskIQ and PassiveTotal blogs. If you want to gain experience with these techniques I also recommend that you start assessing your threats more in detail and start asking yourself basic question such as,

  • How many IP’s are resolving today to that domain?
  • How many IP’s are resolving to that domain in the last 3 months?
  • Whois information?
  • Are there similarities with other previously seen threat infrastructure?
  • Do the IP’s fall in the space of one ISP and 1 or 2 ASN’s?
  • Do the IP’s fall in the space of different ASN’s across the world?

 

Why these questions?

  • Sites with good reputation do not tend to move IP’s frequently (not always but it is the norm)
  • Do we have legitimate registration information or is obfuscated?
  • Criminals are lazy humans and they tend to redirect, duplicate and copy  threat infrastructure. This can be seen in the host pairs tag when you query the domain
  • If the IP’s fall in the space of 1 or 2 ASN’s we are dealing with a domain that is possibly using dynamic DNS to evade IP blacklisting
  • If the IP’s fall in the space of different ASN’s across the world we are dealing with a domain that is possibly using DGA to evade domain blacklisting

 

If you are an analyst monitoring or investigating threats in your current role, this solution is a must because it provides a way to detect evasive nature of today’s threats. For intelligence teams it provides the most accurate picture of your attacker in internet and enrich other sources of information that you may be using. The solution also comes with an API.

I leave you here some useful links however I encourage you to visit as I mentioned before PassiveTotal and RiskIQ sites. They also have a youtube channel,

https://www.youtube.com/channel/UC-hOtzE-1I0XWOMF9zBEJ0w

I recommend you to watch PassiveTotal Thursdays which are detailed sessions presenting the solution.

Additional Links and references,

https://www.passivetotal.org/static/tmp/Know_Your_Foe-Threat_Infrastructure_Pitfalls.pdf

http://blog.passivetotal.org/automated-infrastructure-alerts/

http://blog.passivetotal.org/know-your-foe-whos-behind-the-whois/

http://blog.passivetotal.org/know-your-foe-the-providers-of-things/

http://blog.passivetotal.org/kyf-if-might-be-a-sinkhole-if/

http://blog.passivetotal.org/rethinking-passive-dns-results/

http://blog.passivetotal.org/know-your-foe-dynamic-dns-in-research/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s