Challenge: Gathering actionable web content and DNS data at scale
Our customer – a large U.S. retail organization – was facing difficulties scanning and analysing vast amounts of public web content and DNS data, in the hunt for brand impersonation domains and portal spoofing infrastructure.
The company has a global presence in the retail space, and are considered a high value target by APT groups. One such group, FIN7, are known for sophisticated phishing tactics that we published on this year.
The security team was tasked with using multiple platforms to collect and corroborate data on potential impersonation domains, and was on the lookout for a unified scanning and analysis solution that didn’t require jumping between vendors to validate intelligence as true positive and actionable.
The incumbent solution did not offer high confidence intel that was easy to access, and validated as malicious at point of collection. The CTI team found themselves wasting time confirming or rejecting indicators in their alert queue, and needed to streamline the whole process to ensure that tooling produced a better ROI, and true positive domains were easier and quicker to find.
Solution: Using Silent Push to reveal brand spoofing infrastructure
Silent Push Web Scanner is a feature of Community and Enterprise editions that allows users to scan the public we and dark web for infrastructure that shares a set of common characteristics.
From a single origin point (such as a domain, IP address, hash value, or keyword), Web Scanner can be used to quickly reveal linked phishing and spoofing content across 150+ searchable parameters applied to each returned domain and IP, including proprietary values not used by any other vendor, and how that infrastructure has changed over time.
Historic result sets make it easy for teams to establish precisely how an adversary is managing and deploying their infrastructure over time, to evade detection, including:
- Hosting providers
- JavaScript
- On-page content
- Favicon usage
- Domain naming conventions
- HTML data
- Risk scores
Get a live look at how your team can reduce risk, cut tooling costs, and uncover hidden threats with a single query.
Our customer was able to construct a single query that scraped the global IP range for domains attempting to mimic their own legitimate infrastructure, and use the underlying DNS data to traverse across previously unknown hosting clusters to identify domains and IPs engaged in live and historic threat activity.
As well as providing more actionable insight on hidden and known infrastructure targeting the brand and supply chain, Web Scanner allowed the CTI Team to consolidate multiple scanning and analysis tools into one platform, cutting costs, driving productivity, and improving key metrics such as MTTD and MTTR.
Turning an attackers own tactics against them
Silent Push allows teams to scan for the patterns that emerge as adversaries deploy and manage their infrastructure over time – such as domain naming conventions, hosting changes, how websites are constructed, and how they appear on a screen.
By targeting the underlying TTPs involved in a wider attack campaign, rather than limiting themselves to isolated IOCs that don’t paint the full picture, analysts and threat hunters can gain the context they need to locate any other infrastructure lurking under the surface which shares the same set of characteristics.
All of this is achieved with proprietary data and tooling that simply isn’t available in traditional cybersecurity platforms. It’s taken a lot of work, but the sheer level of discovery speaks for itself.
Web Scanner is powered by parameters and hash values that are unique to Silent Push, all of which allow teams to gather large amounts of information at scale, and cut through the noise to deliver true positive IOFA™ across a security stack, using functionality that isn’t available through any other vendor.
Learn more about our unique approach to preemptive threat intelligence
Find out how Silent Push helps you to locate hidden and known threat infrastructure, and stop digital assaults at the source before they occur with Indicators Of Future Attack (IOFA)™ data.
Contact us here for more information.
