Community Blog

threatindexblog.jpg

Faster Threat Hunting with New and Improved Dossier

Dossier is a threat indicator research tool that provides additional information on URLs, domains, and IP addresses by automatically aggregating contextual information from dozens of sources. It empowers threat analysts to obtain a complete view of the relationships and evolution of domains, IPs, and file hashes. Dossier’s rich threat intelligence adds the security context needed to uncover and predict threats and empowers the analysts to make accurate decisions quickly and with greater confidence.

 

While it is a compelling and comprehensive threat investigation platform, overtime we observed typical user behavior and identified the need to further refine the user interface to better align with their day-to-day workflows.

 

The new and improved user interface of Dossier now includes the following:

 

  • Cleaner look: The new Dossier offers a clean and modern design by using newer user interface design patterns which can help the analyst to take a look at huge amounts of information about a threat. For example, the visual interaction of the active indicators is such that it gives a broader view of the different data types.
  • Improved findability: We have also adopted a user-centric approach for enabling the threat analysts to find information and facilitating their decision-making process of taking action about the threat. The related information is better collated and presented in a format that is more rich and holistic to the threat analysts for better investigation. For instance, the timeline has been developed using information from various feeds that Infoblox has access to. If SURBL at some point classified a domain name as a threat, other feeds can classify that domain as malicious at a later time and give an indication of a potential threat to the threat analyst.

 

  • Focus on providing better contextual information: We have also focused on giving richer context where threat analysts can easily identify and recognize threats more intuitively. This means that the information is organized in such a fashion that it follows the natural progression of thinking within threat analysts when they conduct a forensic research of a threat. For instance, the WhoIs information is now on the top of the page rather than on the bottom because that is the first thing a threat analyst would check in their workflow.

 

The above enhancements make it more intuitive to consume large amounts of threat data and context in making informed decisions.

 

Here are examples of some important changes made as part of the redesign:

 

Summary View of Indicator

 

Dossier now has a new section containing a brief overview of the queried domain which provides the threat analyst an ability of prequalifying and prioritizing it for further investigation. It provides consolidated information on various facets of the threat. It includes the subscribed data provider reported on the indicator and when the indicator was 'first reported on' and by which subscribed data provider. It also provides information about when the indicator was 'last reported on' and by which subscribed data provider, whether the indicator is currently active or not, and a ‘Record Contains’ summary of what content is made available for that indicator further down on the details page.

 

Dossier Image 1 - overview section.png

Active Indicators by Data Type

Dossier now has a graph that plots the number of active IPs, hostnames, and URLs during the last 30 days.

Dossier Image 2 -active indicators.png

 

Active Indicators by Threat Class and Property

 

Dosser now lists the number of currently active threat classes and properties.

 

Dossier Image 3 - threat class and property.png

 

 

Timeline

The timeline, another new addition to Dossier, lets you get a sneak peek to the journey of the queried domain. The timeline offers the historical journey of the indicator’s track record and lets the threat analyst view the details organized in a chronological fashion. The details include when the domain was registered / updated / expired, what IP and when the domain last resolved to for hosting history, when the indicator was first and last reported on, by which data provider, and how was it classified.  

 

Dossier Image 4 - timeline.png

Related Domains and Sub Domains with URLs and IPs

Dossier now shows report from various sources about the malicious activity on related domains and subdomains. This works for both URLs and IPs and provides an aggregated view on domains/subdomains and URLs and IPs related to the indicator across multiple sources of data. This includes data found within the ActiveTrust subscription, partner data if subscribed to, PDNS, and from our Malware Analysis sources. Before, the user had to look across the various sources to piece together this information. This fragmentation often lead to this information to be disjointed and difficult to aggregate.

 

Dossier Image 5 - Related DomainsSubdomains.png

 

Dossier Image 6 - Related URLs.png

 

Dossier Image 7 - Related IPs  .png

 

Dossier Image 8 - Domain Info.png

 

Related Contacts and File Samples

Dossier now makes it easy to access the contact information of the registrants of the queried domain. The downloading of the file samples from various samples will also enable the threat analyst to make quick decisions that are more accurate.

 

Dossier Image9 - Related Contacts.png

 

Dossier Image10 - File Samples .png

 

WHOIS Information

Dossier includes WHOIS information which combined with other data and historical patterns can be utilized to provide useful signals about domains shortly after their registration. It contains information such as the name and contact information of the Registrant (who owns the domain), the name of the registrar (the organization that registered the domain name), the registration dates, the most recent update, and the expiration date.  

 

While investigating the threat actors, the threat analyst had to look all the way at the bottom of the page in our older user interface. However now to mimic the real-world workflow of our threat analysts, the WhoIs data is located on the top of the page so that the threat analyst can now easily take a look at the WhoIs information to understand infrastructure and threat actors at the first go.

 

Dossier Image11 - Raw WhoIs.png

Search Trail

Dossier now shows the trail of all the search queries made in a session. You can pivot on any search query in the trail and figure out the relationship between different domains. For instance, in the example below, the threat analyst started with an initial URL and pivoted on various IP address and domains and subdomains while conducting the investigation. The threat analyst can at any time click on any of the chips to go to any of the queries that they had made in the course of the investigation.

 

Dossier Image12 - Search Trail.png

 

Conclusion

New Dossier UI provides cleaner design, more context for threat identification and closer alignment with real-world workflows for threat hunting.  It now provides more context to identify dangerous threats requiring immediate action, and makes it easier to mine data resulting in faster cyber threat investigation.

 

To see it in action, Evaluate ActiveTrust® free for 30 days please click the link below:
 http://info.infoblox.com/resources-evaluations-activetrust-bundles.

Showing results for 
Search instead for 
Do you mean 

FB Live: Why organizations are increasingly consuming security from the cloud