Here in the SC Lab we depend on a relatively small suite of tools as our work-horses. These are the tools we use in our daily threat hunting and research for the Threat Hunter blog and they all are SC Lab Approved, our highest rating. Cisco Investigate certainly fits into the work-horse line. We use it, literally, dozens of times daily as we chase down threat sources. We have found it indispensable.
We began with Investigate when it was OpenDNS Investigate. With the acquisition by Cisco it became part of the Umbrella system. It also got some new capabilities that are extremely useful. One of its more useful capabilities is its access to malware on IP/URL/domain targets. For example, if we want to learn about a particular domain – some.domain.com – we can enter that information into Investigate and we get back all of the whois data in significant detail. We also get, in the form of hashes, any malware that is detected on the site. Finally, we get such useful data as DNS queries, distribution of accesses from around the world and links to such important things as its nameservers. This makes a good starting point for threat hunting over the internet.
When we get a suspicious IP address or domain we put it into Investigate. IP addresses give us certain types of data, much of which is available from an in-depth whois. However, it is the enriched data that we find valuable. For example, we see all of the known domains hosted by the IP and, additionally, we see the malicious domains broken out into their own list. If the IP is known to have malware, we may also get hashes of samples of those malwares. If there are any special features, we get those too.
Our next step can be one of two things. We can click on a known malicious domain hosted by our IP, in which case we will be taken to an analysis of the domain, or we can click on the ASN of which the IP is a member. Clicking on the ASN takes us to a page that shows the network owners for networks residing in the ASN. Additionally, we get all of the current routes. This is quite valuable because it reveals the domains hosted in the ASN that have exhibited suspicious activity in the past week. Selecting one of those domains drills down further to the domain details.
For starters, we may see that the domain is on the Cisco Umbrella blocklist and what the classier prediction – e.g., “suspicious” – is. A very useful piece of information is the number of times the domain has made DNS queries on a daily basis. A large number of queries indicates a popular site, of course, but more interesting might be when the queries were made. So, these queries tell us something about the frequency of other devices hitting the domain. An example of the usefulness of this is a phishing attack. When did the attacks start? While we can't necessarily see how many victims received phishing emails, we certainly can get an order of magnitude view of when the victims respond to the phish.
The whois data gives us the usual information, but because everything on Investigate is linked, all we have to do is link to an item of interest – for example the email of the registrant. By clicking on that we can see all of the domains for which they are registrant. If there are malware samples associated with the domain, we'll see that too along with the hashes. Domains are tagged based on the types of malicious activity in which the domain engages. There is an extensive list of features exhibited by the domain – country codes, prefixes, whether or not it is a fast flux candidate and so on. There is a separate list of security features exhibited by the domain. These include a reputation score, for example. There is a DGA (domain generated algorithm) detection. Finally, any IP addresses that the domain hosts, its name servers, co-occurrence's (sites visited just before, during or just after visiting the domain) and related domains.
So we can see that there is a lot of information provided by Investigate, all of which helps us start tracking a domain, ASN, IP or registrant quickly and easily. At any point we can take the information on the page and with a single mouse click, cross-check on Google or VirusTotal.
Product Umbrella Investigate
What it does Whois on steroids with lots of enrichment data.
What we liked This is a one-stop starting point for any investigation where you have a hash, IP, domain, URL, ASN or email address of a suspected domain registrant.
The bottom line We could not do the analyses for the Threat Hunter blog without this tool. We recommend this one regularly. One more year as SC Lab Approved!