Threat feeds provide security teams with an transferable list of domains, IPs and URLs, that can be used to automatically counteract cyber threats, and improve an organization’s situational understanding of an evolving threat landscape.

Think of threat feeds as a live weather reporting system, offering up new information that can help you prepare for a storm that is coming your way, or alerting you to one that is already circling overhead.

Feeds are typically created via open source intelligence streams (often referred to as OSINT), internally by security teams using targeted intelligence, or packaged and sold to organizations by threat intelligence vendors.

Summary

This blog explains the problems faced by security teams when using feed data to detect and counteract threats, before outlining the various feed types on offer as part of a Silent Push Enterprise subscription, and how to use the data to produce actionable intelligence.

To help you understand how we collect and correlate threat data, take a quick look at our blogs on data independence and data enrichment.

Common threat feed problems

Threat feeds are the bread and butter of most security operations, but they come with a series of operational hurdles that need to be overcome before they can be relied upon as accurate and timely sources of intelligence.

1. Inaccurate information

Feed data sometimes suffers from a lack of real-time updates, incorrect information or false positives provided by unknown contributors, that creates noise and consumes resource to convert into actionable intelligence.

This is particularly true of open source intelligence (OSINT) feed data.

2. A record of what HAS happened

Threat feeds that are solely populated with post-breach data are often over valued, and aren’t equipped to provide organizations with a reliable account of pre-weaponized infrastructure.

Just like the punch that a boxer doesn’t see coming, an unknown cyber attack has the potential to cause significantly more damage to an organization than an attack vector that’s already been identified in the wild, and is therefore easier to counteract.

3. Data overload and alert fatigue

Quality of data is king.

It’s possible to have too much threat data, too much context and too many domains and IPs to sift through, using a finite set of analyst resources that’s often stretched across multiple security workflows.

The most effective threat feeds are populated with timely, accurate and reliable indicators that cut through the noise and provide immediately actionable intelligence, without the need for endless pivots to confirm a set of true positives.

Data Independence

Data Independence is the concept of a threat intelligence provider collecting and owning 100% of the data that it delivers to is customers.

Silent Push is wholly data independent, meaning that we are able to add an infinite amount of context to each observable data point contained within the platform.

We don’t rely on third-party collection methods, telco hardware or other security vendors. The DNS and content data that we deliver to our customers is collected, aggregated and scored by us, and us alone, using a proprietary scanning and aggregation engine, and our own query language – SPQL.

We create self-contained searchable spaces across the IPv4, IPv6 and dark web spaces that reduces time to discovery, increases query and scanning flexibility, and doesn’t rely on poorly aggregated OSINT data that isn’t designed to work in harmony with a given UI or API surface.

Silent Push feed types

If you want to make sure that your threat feeds are effective in detecting and protecting against cyber threats, then it’s essential for your security teams to diversify their data sources to improve detection capabilities, and ensure quality of data to be able to preemptively detect attacks before they cause damage.

At Silent Push, we provide this functionality via the console and API, using three feed types:

• IOFA Feeds: Domain, IP and URL Indicators of Future Attack.
• Bulk Data Feeds: Changes and additions across the global IPv4/6 range.
• Custom Feeds: User created feeds populated with organization-specific threat data.

Here’s a run-down of each feed type…

1. Indicator of Future Attack (IOFA) threat feeds

Traditional IOC feeds are legacy intelligence sources that serve to inform security teams of where an attack has been, rather than where it’s coming from.

Indicators of Future Attack (IOFAs) act as preemptive indications of attacker behavior (domain, IP and URL data) and intent​, including pre-weaponized infrastructure.

IOFA feeds are created and maintained by our team of Threat Analysts, meaning they are free of false positives, and only include relevant indicators gathered from research into threat actors, threat campaigns and attack vectors.

The majority of our IOFA feeds are linked to a TLP Amber report: finished intelligence reports containing sequential information on how we conducted our research, the queries, pivots and scans we used, and sensitive data points that we aren’t able to disclose publicly for OPSEC reasons.

Accessing IOFA Feeds

1. Navigate to Data Marketplace → IOFA Feeds
2. Use the menu bar at the top of the screen to search for an existing feed, filter feeds by type or sort them by newest or oldest
3. Select View on a feed card to drill down into the data using the Feed Analytics screen

2. Bulk Data Feeds

Bulk Data Feeds are slightly different to named threat feeds.

Rather than focusing on a specific threat or attack vector, they contain information on important DNS changes and additions across the global IPv4/6 range, that organizations can use to inform their cyber defense operations.

For example, if your organization is being targeted by a threat actor using a specific apex domain string, followed by the same country code top level domain (ccTLD), you can track any additions to that specific ccTLD DNS space, and react accordingly.

Bulk Data Feeds are available for the following DNS data types:

Accessing Bulk Data Feeds

Enterprise users can access Bulk Data Feeds by navigating to Data Marketplace → Bulk Data Feeds.

Use the menu bar to search for an existing feed, filter feeds by type or sort them by newest or oldest:

You can export all the data contained in a Bulk Data Feed as a .txt file by clicking the Download File or Automate Export buttons.

3. Custom threat feeds

Enterprise users are able to create Custom Feeds from organization-specific IOFAs, in three ways:

1. From a file (supported filetypes are CSV, JSON, TXT, STIX)
2. From a URL
3. Starting from scratch with an empty feed

Feeds created from a file can be assigned a vendor name, if applicable, along with a source score that assigns a risk level to the data contained within it.

Adding data to an existing threat feed

New IOFAs can be added to a Custom Feed from various parts of the platform, including:

1. IPv4 Enrichment
2. PADNS Lookup
3. Live Scan

For each of the above options, navigate to the top right of the screen where you will find the Save To button. Select it, and add the indicator to a new or existing feed.

Managing and analyzing feeds

The Threat Intelligence Management menu is designed to allow users to access and manage feeds from one central console.

Viewing a list of feeds in one place

From the Threat Intelligence Management → Feeds menu you’re able to view:

• All Feeds: All feeds that you have access to
• Global Feeds: All feeds accessible to Silent Push Enterprise users
• Organization Feeds: Proprietary feeds related to your organization
• My Feeds: Lists all Custom Feeds created by the user

Viewing threat feed data

To display feed data in Threat Ranking, click the Show on Threat Ranking button.

The Threat Ranking screen contains a list of all feed data that you’ve chosen to display, including enriched data for the displayed domain, or IP address, and risk scores.

Reporting on threat feeds

Understanding the quality and value of your feeds, is important in ensuring you’re making the most out of your intelligence gathering operation.

Navigate to Threat Intelligence Management → Feeds Reports to execute a side-by-side analysis of two or more feeds, including the following categories:

• Frequency (hours): The interval between updates to the feed.
• Accuracy: Based on user feedback regarding the number of false positives contained within the feed.
• False Positive Ratio: The ratio of the number of false positives, in the last 30 days.
• Overlap: The percentage of the feed’s observables that are seen within other feeds/collections.
• Originator: The percentage of firstly reported observables, since the feed/collection was added.

To compare feeds side-by-side, select the check box located on the left of the feed name and click the Compare button, on the top right.

Actioning Silent Push threat feed data

You can use feed data to perform a number of actions, that provide additional context, and convert IOFAs into additional intelligence streams that can be shared among team members.

Pivot on feed data

Feed data can be accessed and expanded in Threat Intelligence Management → Threat Ranking screen.

Left click on a feed name in Feeds, and the data will be displayed on the Threat Ranking screen.

From here, you can expand any indicator by clicking the dropdown arrow to the left of the indicator, and view enriched data across numerous categories, including all associated risk scores, and perform three key pivots:

1. Live Scan: Extract realtime data from a single URL (public or .onion), including a live screenshot
2. Enrich: Deep dive into the indicator and view 90+ enrichment categories
3. Lookup PADNS: Map out associated DNS infrastructure

Exporting feed data

Feed data can be exported and ingested in several ways, depending on your use case:

Downloaded as file

Downloading feed data via the Manual Export button allows you to export feed data as a CSV, JSON, TXT, RPZ or STIX file, for offline analysis or upload into another security product.

Left-click your chosen feed in the Feeds screen, select Download File, and choose your export format.

Downloaded via API URL

You can download feed data via a static API URL.

Select Automate Export, choose your required file type and click the Copy API Endpoint button. This endpoint retrieves a time-limited (3 hours) URL, that you can use to access the data.

Fed into a security stack

Feed data can also be externally fed into your security stack via Python, curl, and PHP.

Click the Automate Export button, and select the cURL, Python or pHp tabs to copy code samples and call it from your desired security tool.

Request a demo

Ready to take a step further and enhance your security operations with preemptive threat intelligence? Request a demo, and get complete access to Silent Push feed data, including all the functionality mentioned in this blog.

You can also access data enrichment and risk scoring by signing up for a Silent Push Community Edition account – a free threat hunting and cyber defense platform that features a range of queries and lookups, including Silent Push Web Scanner and Live Scan.

In cybersecurity terms, Brand Impersonation encompasses a variety of attacks vectors aimed at deceiving users into believing a fraudulent digital asset (usually web content, or an email) is legitimate and trustworthy.

In a typical scenario, a threat actor deploys infrastructure that spoofs a well-known brand’s website, or sends a “branded” email, with the aim of phishing for sensitive information, such as login details or payment card information, or delivering malware via an executable download.

Brand Impersonation isn’t limited to on-page content or one-off emails. Threat actors also spoof individual elements of a website, such as favicons and HTML titles that appear in a browser tab, in an effort to appear legitimate to the untrained eye.

The development of commercially available AI has seen the introduction of new attacker TTPs, such as ‘deepfake’ impersonation, automated reconnaissance of digital brand assets, and dynamic machine learning adaptations to phishing messages that drastically improves spelling and grammar – previously a reliable indication of fraudulent content.

Summary

In this blog, you’ll learn how to execute four powerful Brand Impersonation queries that locate malicious Indicator of Future Attack (IOFA) infrastructure, targeting four distinct areas of your online presence:

1. Domains
2. Favicons
3. Emails
4. HTML titles

New to Silent Push? Download our free Community Edition here and follow along as we guide you through each query.

Each query generates an IOFA results set that allows security teams to track and monitor the underlying infrastructure associated with Brand Impersonation attacks, and prevent further attacks by locating additional infrastructure at source, rather than relying on post-attack intelligence.

Defenders are able to use Silent Push Brand Impersonation IOFAs to construct threat feeds dedicated to multiple apex domains or supply chain domains, ingest data into a security stack via the Silent Push API, and use enriched threat intelligence to automate their pre-breach security posture and IR processes.

Let’s take a look at each query in turn….

1. Domain Brand Impersonation query

The Silent Push Domain Impersonation query is designed to identify ‘typosquatting’ – a TTP that involves a threat actor registering a domain name that’s similar to a well-known brand, and either mispelling it or otherwise obfuscating using a combination of a subdomain and country code top level domain (ccTLD), in an attempt to capture traffic meant for a legitimate website.

From the main Domain Impersonation query screen, you can input a domain or regex – a form of advanced search that looks for specific naming patterns, instead of using whole domain names – and search for impersonating domains with one click.

To narrow the search, the query features an Auto-fill Data button that automatically excludes results hosted on trusted infrastructure (the IP, subnet, nameserver and ASN associated with your legitimate domain). You can also manually include or exclude certain infrastructure.

You can use the First Seen and Last Seen sliders to focus on recent impersonation attempts, or execute a historical interval-based search using Silent Push’s passive DNS records.

Working with Domain Impersonation results

Domain Impersonation results are generated on an Explore screen – the standard output screen for DNS data across Silent Push Enterprise and Community Editions – alongside their associated risk score.

From the Explore screen, you can perform further forward and reverse DNS pivots on any domain or IP address returned, you can enrich any ASN you discover to explore malicious clusters of domains and IPs, and as with any dataset on the Explore screen you can save all or a section of the results to a new or existing feed.

2. Email Brand Impersonation query

Our Email Impersonation feature locates domains that are being used to target organizations through MX record manipulation.

MX (Mail Exchange) records are DNS instructions that dictate which mail server is responsible for receiving emails for a specific domain.

By manipulating these records, attackers can make it appear as though their emails are coming from a legitimate sender’s mail server, despite originating from a malicious source.

The Email Impersonation query returns both mail records and their associated domains that are potentially involved in impersonation attacks against your own infrastructure.

Working with Email Impersonation results

Data is returned across the following categories, along with associated risk scores:

• Query contains the potentially suspect domain
• Answer is the MX record that the domain is pointing to
• MX Hash is a hash value associated with the MX record listed in the Answer column
• WHOIS Created is a timestamp of when the domain in the Query column (and its subdomains) was created
• MX Server Density is the number of domains using the returned mailserver

Results are populated on an Explore screen. You can click any string of blue text to perform additional forward and reverse DNS pivots on domains and MX records, or enrich a piece of data by viewing granular information across 100+ constituent categories.

3. Favicon Brand Impersonation query

Favicons are small images (usually 16×16 pixels), unique to each brand, that appear in browser tabs, address bars, bookmarks and search engine results.

Replicating a brand’s favicon and linking it to a spoofed website is a relatively straightforward task, and threat actors use them to make phishing infrastructure appear legitimate in the eyes of the user, increasing the believability of their scam.

The Silent Push Favicon Impersonation query captures favicon data associated with a trusted domain, and hunts for non-trusted malicious infrastructure using the same favicon image.

Simply enter a domain, and click Search to locate spoofed infrastructure.

Working with Favicon Brand Impersonation results

Favicon Impersonation queries are executed on the back-end using Silent Push Web Scanner.

When a Favicon Impersonation query is run, the platform automates a Web Scanner query that captures the MD5 hash of a domain’s legitimate favicon, and automatically scans for its use across all public-facing non-trusted infrastructure.

Unlike Domain Impersonation and Email Impersonation queries, Favicon Impersonation results are populated using a Web Scanner table, with the following default categories:

• scan_date – Timestamp of when the data was scanned
• origin_url – URL that was originally scanned
• URL – The final destination URL
• hostname – Domain
• favicon_icons – Image displaying the favicon retutned for that result
• favicon_murmur3 – Murmur3 hash (standard favicon)
• favicon2_murmur3 – Murmur3 hash (favicon2)

Web Scanner is powered by SPQL, a free-form query language used to explore all the DNS data and content gathered by our daily scans of the Internet’s IPv4/6 range, and the dark web. SPQL utilizes 100+ data categories, including SSL data, redirects, HTML header data, and body hash values.

Data categories can be added or removed from the Favicon Impersonation results table depending on how much you’d like to know about a returned domain. Simply click the icon next to Basic Raw Data, and select or deselect categories from the list.

To get a comprehensive breakdown of each result, including all relevant SPQL field names associated with the result, click Expand on the far right of the results table.

As with the Explore table used to provide Domain Impersonation and Email Impersonation results, you can pivot on any string of blue text to perform a variety of additional functions and gather more intelligence, including:

• Add a result to a new Web Scanner query
• Perform a Live Scan of a URL
• Add a domain or IP address to a feed
• Enrich a piece of data, or perform a passive DNS lookup

HTML Title Brand Impersonation query

A HTML title is the text string that appears in your browser tab, or a website’s title bar.

As with favicon spoofing, threat actors use HTML titles to make their impersonation infrastructure appear legitimate.

Fake websites masquerading as a well-known brand will often feature what appears to be a legitimate HTML title in their website code, so that casual visitors are fooled into thinking the domain is safe and secure.

To run a query, simply enter a trusted domain and hit Search.

Working with HTML Title Impersonation results

Just like a Favicon Impersonation queries, HTML Title queries use Web Scanner to capture the legitimate domain’s HTML title, and run a query that locates non-trusted domains using the same HTML title.

Results are populated across the following default columns:

• htmltitle – HTML title of the returned result
• scan_date – Timestamp of when the data was scanned
• origin_url – URL that was originally scanned
• URL – The final URL that’s arrived at
• IP – IP address
• hostname – Domain

As with Favicon Impersonation data, the results table can be adjusted according to what you need to know.

You can add data categories that provide more content to each malicious domain returned, expand on each result to get a comprehensive breakdown of a domain’s constituent parts, or pivot across infrastructure using Enrichment and passive DNS lookups.

Monitoring queries

Silent Push allows you to setup Brand Impersonation Monitors that alert you to changes in a given dataset via email, every 24 hours.

To create a Monitor:

1. Select the Monitor button on the top right of the results screen.
2. Enter a Monitor Name and a Description.
3. Click Save.

Monitors can be accessed, edited and deactivated by navigating to Monitors > Monitored Queries.

You can also save your queries for quick access at a later date, or share them across your organization with other team members.

Register for Silent Push Community Edition

You can access all the Brand Impersonation features detailed in this blog using Silent Push Community Edition – a free threat hunting and cyber defense platform used by security teams, researchers and threat hunters across the globe, in a variety of sectors.

Community Edition also features access to Silent Push Web Scanner and Live Scan, along with a variety of powerful DNS lookups, and offensive/defensive tooling.

Sign-up free here.