Time
23 minutes
Difficulty
Intermediate
CEU/CPE
1

Video Transcription

00:00
For those of you not familiar with rescue, we have the market leader in attack Surface management. Our sole focus for 10 years has been helping companies detect and eliminate threats outside the firewall before it impacts their businesses. 40% of the largest financial service is high tech. Consumer healthcare,
00:17
and global brands rely upon rescue to better protect their company
00:21
brand people. And Dana, let me introduce our speakers today.
00:25
Benjamin Pel is the technical marketing manager at risk. Like you, he's worked in I t. For over 30 years, focused in I t Security for last 14 years Prior to Risk. Like you. He was a founding employee at Excel UPS, a SIM company where he ran Professional Service is and product marketing.
00:42
Benjamin has worked and managed I T and cyber security teams and numerous industries. State government airport, Port district, education, biotech file, encryption software and financial service is
00:56
Brandon Dixon has spent his career in information security, performing analysis, building tools and refining processes.
01:03
As VP of product, he is responsible for managing the direction of all risk I Q offerings. Prior risk I. Q. Brandon was a co founder of Passive Total, acquired by Risk i Q. Where he led development in product direction.
01:15
Throughout the years, Bren has developed several public tools, most doubly pdf X ray and ninja jobs.
01:23
His research and development on very security topics has gained him accolades from major security vendors and peers in the industry.
01:32
You can register for Risk IQ's free pass of total community addition by going to community dot rescue dot com slash register
01:42
risk I Q Passive Total expedites investigations by connecting internal activity event and incident indicators of compromise artifacts to what's happening outside the firewall, external threats, Attackers and they're related infrastructure. Possum Total simplifies the invent investigation process and provides analyst access
02:00
to a consolidated platform of data necessary to accurately understand
02:05
triage and address security events.
02:07
In this video, Benjamin and Brandon will be demonstrating Advanced Threat hunting skills, utilizing Risk I Q Passive Total
02:15
and Risk IQ's advanced data sets. You will start off by looking at your own unique, dynamic trackers to identify any threat actor that maybe utilizing these by copying your website.
02:29
Let's begin when this exercise we're calling it mark of the Web, and our input here is match dot com. Now you may be thinking yourself. Match dot com is actually legitimate Web page, and this is something that's not delicious. Well, our goal with starting with match dot com is to proactively identify some suspicious
02:45
and malicious infrastructure, using some of the newer hunting techniques within the risk of data sets.
02:50
So in terms of objectives, we have two simple ones. Which data sets could be helpful in finding malicious infrastructure associated with match dot com,
02:59
in which, uh, what common techniques are shared amongst then that could allow us to basically identify malicious content in the future.
03:07
What we'll do is we'll summarize these results afterwards.
03:10
Okay, so in this exercise, what we're gonna be doing is we're gonna be playing the role of the owners from match dot com match dot com actually owns a significant amount of properties. But what we're interested in doing here is
03:24
not reacting to a situation like we normally find ourselves in. We find a fishing based website, we look at the information and we sort of walked back. Instead, we're gonna go a bit more proactive, and what we're trying to do here is essentially start with a wet property that we know. And you know what's for this case? Assume that we manage.
03:44
And what we want to do is lunar identify Maur
03:46
websites or malicious activity that may somehow be linked off our legitimate weapons. And so, how much meat go about doing this? Well, we're not gonna be looking at the data sets like passive D. N s who is SSL certificates of sub domains. But instead we're gonna focus on things
04:03
that are dynamically generated when the pages rent
04:06
was his trackers, trackers, host players, components. I think for this case, tractors is probably the best avenue to explore because we have a number of very unique items that are associated with our Web page content. So when risk accused Web crawlers go out to crawl the Internet,
04:24
one of the things that they're doing is they're downloading the entire document object model,
04:29
getting back the entire response bond. It's from that information that we're applying the number, rules and other details to be abstract things like this.
04:35
We have a number of details here, including Google account numbers, Facebook, pixel, ID's tracking, I. D. S instagram ideas, et cetera. We have 79 opportunities that we could go and explore. So if a threat actor copied your website, they're more likely to copy these trackers as well. Yeah, see, that's the fun part about it is
04:56
we have these unique items because it's our website and we're using it to maybe track statistics on our website or were just I'm merely having social media. These things were being identified, but if I'm a malicious actor, I'm looking for the fastest way to
05:13
make myself appear like match dot com. And that might involve
05:15
simply copying the Web page, and they forget to change these things out.
05:19
So let's pick. Let's pick this Facebook pixel,
05:24
uh, load up the Google Analytics account too.
05:27
Um, is there any other one that you think could be interesting here?
05:30
Instagram ideas. They don't all look completely related.
05:35
Sif science accounting could be interested.
05:39
Well, go then.
05:42
Okay, So looking at our first pivot here, we've pivoted on the Facebook pics alike,
05:46
so I personally have not even sure what a Facebook pixel is. It could just be some sort of thing that we've extracted from the like that's being included. Or maybe match dot com offers some sort of Facebook log in. But in any case, we have 756 Web properties that are also linking to the same Facebook pics alive.
06:05
And if if you take a look at some of the names, they look
06:09
type of squad just from from the top. Yes, so I mean, we got a couple that maybe
06:15
related to match dot com properties that people meet dot com. As weird as it sounds, that might be something that match dot com owns this match dot com. Yeah, interracial people meet. So maybe maybe match dot com is going a little bit step further and trying to kind of register all these different properties. But, yeah, I think you're right. Like if we look
06:33
and some of these here,
06:35
they kind of stick out just a tad that not quite sure that may be legitimate. Specifically, the one that jumps out to me is the usage of match dot com within the longer string within the subdermal cracked. So we have this match dot com dash
06:53
my match picks Todd extravagance ironworks dot com You fat?
06:58
If that is somehow, match dot com probably be surprised. Yeah, maybe it's bringing local ironworkers together but again taking some of the techniques that we know what we could actually go on quickly. Look at this particular Germaine and look at the results that we have.
07:13
And right away it's been around for over a year over year. So we do have some information on it. Does appear to be active based in the U. S. So could you speak up still somewhere? Property?
07:25
There's a certificate here. Um,
07:28
we're gonna look at this. There's actually a C panel.
07:31
Appears to be SSL certificate that's associated with this based out of Houston, Texas.
07:36
So I mean, like, this is so far showing up like it could be legitimate.
07:41
We have a number of other,
07:44
you know, interesting sub domains that air hanging off of this particular property. You know, we can start to dive into a little bit of those,
07:53
but what we see here is some interesting cases where
07:57
there's ah, Facebook Picture I D which we originally deer in the Facebook I d. But the mark of the web, the market the way. Yeah, so market the Web lake
08:05
that is supposed to show up. Apparently, it's a
08:09
capability that exists on Windows machines and specifically Internet Explorer, that it indicates
08:16
that the page that was called that we surfaced had a comment in there that noted the original source. So if you save the website
08:24
on, then upload it to another website, that's like a watermark. It's added to the yet and so like technically, the malicious actor could have removed this, but for some reason they kept it here. Maybe they even realize that it existed. But what we can tell from that market, the Web information is the source host was match dot com
08:43
in the specific euro that they were copying off. Pose the match dot com log in Cash Index Beach.
08:50
Now what that tells me is that maybe
08:52
this particular Web page, despite it showing some legitimate characteristics, are ones that that kind of look and appear feel more legitimate may not actually be,
09:03
uh, let's go and actually run this in a Google seat, browsing check
09:09
and identify with the thing.
09:13
There's nothing in risk. You they told me it was bad, but it doesn't necessarily mean that it's good.
09:18
Oh,
09:18
yeah. So we've run a search for this, and it appears that this see this website is not safe. It's a necessity to track visitors, trick them into downloading personal downlinks off are putting in personal information.
09:33
So right off the bat within just one pivot on the Facebook idea, we were able to find something that stuck out a little bit in terms of Web property that may not be legitimate. When we went over to it sort of had all the right things and had a history of it was brought up on line wasn't around long, but it doesn't necessarily
09:52
media, and it's had the same I P address the whole time.
09:54
Say might be the whole time. Who is What's, you know, Proxy domain by proxy of privacy Protected had an SSL certificate, one that appeared to be painful way had some some remains there that were a little strange, but like it wasn't completely out of, Please.
10:11
Uh, and then we had that mark of the Web sites, which, to me, was kind of the kicker.
10:15
You know, there's no reason why match dot com should be going saving their pages individually in order to do this. Now, is there anything we can do? The leverage that mark of the Web to now find other sites. That might be,
10:26
Yeah, that's a great question. So one of the things that we could do at this point is we could continue exploring very quickly some of the other tabs here. But if we wanted to just probe a little bit deeper into that market Web, we can actually run a pivot on the match dot com showing up inside of the mark of the Web sources
10:45
and what we identify. Here's 12 other Web pages that have appeared to have copied the match dot com with age. Yeah, yeah. So what's really weird to me is like we had a bunch of the same subject means that we saw lyrics mantra, a couple other Web pages that don't appear to make sense,
11:03
but they're using the same sort of technique.
11:05
There's an animal side, my group, those things together. But then we got matching com dot g. A. Um,
11:11
this one to me is kind of strange. Delta
11:15
corporal Otto dot com. I don't know what that means, but I mean very quickly we went from match dot com
11:22
Thio an analytical I D. That's legitimate and completely and buy them to something that's fishing these
11:28
now. We opened up a bunch of other things here, too.
11:31
Specifically Google account number. So let's see. There's that Delta. So we got our well, that's not dealt with everything being this 10 yeah, there's so you're right. Yeah. So, apart from being copied for Market the Web, there's also that overlap again with the Google accounts and Akula analytics. We have our original extravagance. Ironworks.
11:52
Um, if we continue to go down here, we have other things like MASH Atlanta, MME.
11:58
Uh, Paris Institute.
12:01
Big bands foundation dot org's You know, these may be a strange is that these these things might be related to match that Tom you never know, right, but maybe is telling a different story as well. Maybe match dot com doesn't manage their own Google Analytics and instead uses a marketing firm to do that for them.
12:20
So maybe the marketing firm isn't doing a good job and cutting a unique
12:24
user agent code for each one of them. So it's hard to say. But things definitely stick out here is being weird. Let's pivot over to our album
12:33
source. If science again,
12:35
this is what I would expect to see. A typical
12:37
is you have match dot com and you got us dot match dot com secured on match dot com. That makes sense. They all of these things.
12:46
So if we could go back to our trackers here on the original match dot com query, is there any other information that we might be able to pivot off? Let's say let's go and look at this instagram I d and see if you can find anything else.
13:03
So what? The results load here? 240 other websites?
13:07
No, this is a case where
13:09
aka Odeon s is a little weird.
13:13
How did it all start that comment? This might make sense. Some places might be Robert's referencing the instagram i D, which is not gonna be as unique. And you would expect that in social media.
13:22
So, as analysts were striving to do here is apply our analytical rigor and make sure that we're looking at the pivots that we make and we're making calculated ones. So the instagram mind he's probably not as useful as, say, the Facebook out of the picture.
13:41
But as the last and final one will took this blue sky site I D. I don't even know what Blue Sky is some sort of service for targeting.
13:50
And here we have 384 websites. Yes, PN. There's a bunch of stuff in their *** boards,
13:58
Buckeye amnesia and ESPN Tennis live. So what I think is interesting here is is bluepi some sort of like Sponsor Network? Is it some sort of ad based network? And what we can do is actually go and just want people search, because I'm actually curious now to figure out what this is.
14:16
So some people looking to remove Luke, I
14:20
Let's go a little bit further in the safe
14:26
oracle of glucose.
14:28
So it appears that blue guy was purchased by Oracle.
14:31
Uh, what is it that we're looking at? Luca's, the industry's leading cloud based big data platform that enables companies to personalize data offline and mobile marketing campaigns with Richard more actual information. So this existence seems legitimate that with this feat to the comment that I made earlier in a case where, uh,
14:52
match dot com may actually be taking some of those targeting functions from the advertising functions and placing them into another service, it appears in this particular case that the same person running ESPN is properties is running match. Exactly. Now
15:07
they also might be associated with Disney Land as well. You know, just for a final check over here, This to me, right off the bat, with some little strange, you know, maybe it Israel, but I just want to check it while we're looking at it.
15:20
That's no, it's fine. So as analysts, what we're doing in this particular case is I think this is a testament that allows you to show starting with something that's good as opposed to reacting allows us to get a more proactive. Now, if you're thinking to yourself well, how often there are new things gonna show up?
15:39
Well, that's where we encourage you to actually use our e p I or bookmark the actual pages themselves so you can go back and identify new changes that take place. You can mark, you can bookmark the mark of the Web and constantly rerun that every time you go in just to take a look to see if anything pops up exactly, and chances are you know it's not gonna change that often, but
15:58
it's better than having to proactively wait for someone to tell you that someone is fishing your users and going after their accounts.
16:03
So we think this is a good approach in terms of using our data to surface things that you may not know. And if somebody is copying your Web
16:11
pages and post them someplace else, it's not theirs. They're infringing upon your domain and things like that exactly, So you can take whatever recourse that you want to do or you feel is appropriate for your organization.

Up Next