Vertex Intel-Sharing: Sinkhole Infrastructure Research
by thesilence | 2023-08-11
The Vertex Intelligence-Sharing Synapse Instance (the VISI for short) was created by The Vertex Project as a community-oriented research, analysis, and intelligence-sharing effort. The initiative is backed by all of the features and power of the Synapse Enterprise central intelligence system. This means the VISI is a fully collaborative, "living and breathing" view of the collective knowledge of the security community, meant to foster learning, discussion, and consensus, and to improve situational awareness and defense for all.
The VISI will thrive based on the contributions of our community, but is already building a knowledge store based on the automated ingest of public data sources. As of this writing, the platform already contains over 14 million nodes.
The VISI is open to anyone willing to agree to and abide by the Code of Conduct - no secret handshakes, insider cliques, or pay-to-play. You can read more about the VISI, review the Code of Conduct, and request membership here.
While the VISI can be used for a range of research and contributions, we wanted to kick things off with a more focused research project to allow community members to get a feel for the platform and the contribution process. We figured we'd start with something simple (but useful) and ask the community to help identify DNS sinkhole infrastructure.
Why sinkholes?
For research and analysis, it is just as useful to have context around "non-malicious" indicators as it is around malicious ones. Knowing that an IP address is a sinkhole tells you that it's not attacker C2 infrastructure. Knowing that an FQDN is sinkholed tells you that it was deemed malicious at one time, but is no longer under threat actor control. This awareness can help us make decisions regarding alert triage, network defense, and threat clustering.
How can I contribute?
To add and annotate data in the VISI, you need to be a community member with the contributor role. To be granted contributor status, just ask in the #vertex-intel-sharing Slack channel (you will be added when your membership is approved). There are no other requirements!
How can I show that I think something is sinkhole infrastructure?
"Why" you think something is sinkhole infrastructure should be represented through your data and annotations (tags). Things to consider in identifying sinkholes include:
Does the IPv4 DNS reverse lookup (PTR record) imply sinkhole status? (Keep in mind that PTR records are not always updated regularly, so you may need additional evidence.)
Is the FQDN DNS nameserver (from a domain WHOIS or DNS NS record) a known sinkhole NS?
Is the IPv4 used to resolve a large number of DNS A records for FQDNs from many unrelated threat clusters?
Does the IPv4 host web content which documents its sinkhole status?
Are you ( or do you have messages from ) the sinkhole owner?
Your work should include "enough" evidence to be convincing / high confidence.
Tip: You don't necessarily have to find new / unknown infrastructure (though it's great if you can!). If you are able to identify additional sinkholed domains, records, etc. based on what has already been identified in the VISI's data store, that helps the community too! |
What is the process for researching and adding sinkhole data?
Review the example sinkhole infrastructure data in the TLP: CLEAR view.
We've created three sets of sample data, grouped by tag for easy reference (the
coretag element shows the essential nodes that make up the example; the more generic tag is used for a slightly broader set of data):#story.vtx.sinkhole_1.core/#story.vtx.sinkhole_1Example of sinkhole infrastructure identified by a web page hosted on the sinkhole IP.
#story.vtx.sinkhole_2.core/#story.vtx.sinkhole_2Example of sinkhole infrastructure identified by sinkhole-specific name servers and related domain WHOIS data.
#story.vtx.sinkhole_3.core/#story.vtx.sinkhole_3Example of sinkhole infrastructure identified by DNS CNAME redirects.
A list of the tags used for sinkhole annotation is provided below for reference; you can also view the tags and their definitions in Synapse using the Tag Explorer.
All research should be done in a fork of the appropriate view:
TLP: CLEAR
TLP: GREEN
TLP: AMBER
TLP: AMBER+STRICT
(Hopefully research can be done at the CLEAR level but if you have sinkhole-related information that is TLP-GREEN or higher, use that view.)
Create a fork of the appropriate view (if you're not familiar with the "fork and merge" workflow, check out our video). We recommend that you name your forked view something intuitive, such as "TLP: CLEAR - thesilence sinkhole research".
The forked view is a personal "scratch space" for your research. You are admin of your fork, and by default no one can see the data in your fork but you! Research away, test things out, do whatever you like. If you're not happy with how things are going, you can delete the fork (discarding your data) and create a new fork to start again!
Conduct your research! (Some Tips for Getting Started are provided below).
At any time, you can use the
#vertex-intel-sharingSlack channel (or DM) to ask anyone with the reviewer role to look at your view and make suggestions. When your research is complete, a reviewer can merge your analysis into the main view.Current reviewers are:
reign (Vertex) (Ryann Hallback)
savage (Vertex) (Mary Beth Lee)
thesilence (Vertex) (Jennifer Kolde)
visi (Vertex) (Visi Stark)
(Over time, we will add more community members as reviewers, as well as the ability to "vote" on merging data.)
You do not need to use a
storytag (as we did for our examples), but if you think it helps better illustrate your research, feel free!Once your researach is merged, celebrate your contribution to the community!
Can I collaborate with others?
Yes! As admin of your forked view, you can add others to the view so you can work together.
In the Workspaces Tool, select the VIEWS tab.
Select your view from the list on the left (private views will appear at the top).
In the View Configuration panel on the right, select the PERMS tab.
Use the +Add User or +Add Role buttons to grant access.
Users and roles are given read access by default.
Use the edit toggle to allow others to add and modify data and apply tags.
Use the admin toggle to allow others to manage the view (delete data or remove tags from the view, manage permissions for the view, or delete the view entirely).
What if I break stuff?
You won't! Or at least you will have to try pretty hard to do so. By working in a forked view, your work is isolated from the VISI's "production" data. Nothing will be added to production unless it is appproved by a reviewer. If you "mess up" anything in your forked view, you can simply delete it - problem solved!
Tips for Getting Started
Look Up or Add Data
Sinkhole research often starts from FQDNs or IP addresses. You can look up or add FQDNs and IPs to Synapse using the Storm query bar.
Use Power-Ups for Enrichment
Domain registration (WHOIS) and DNS records can be useful for identifying sinkhole infrastructure (but use any data / data source you find helpful). The VISI includes many of Synapse's Power-Ups, and many Power-Ups can be used to automatically retrieve this data and add it to Synapse.
Note that when you run a Power-Up, Synapse retrieves the available data but doesn't "show" it to you by default; you will still see your "original" nodes. You will need to use the Explore button (or a Storm query) to navigate to the associated data.
Tip: Help on using individual Power-Ups can be found in the Help Tool. Many Power-Ups can be easily run by right-clicking a node (such as an FQDN) and selecting the appropriate option from the context menu (under the actions > sub-menu). You can always access the full capabilities of the Power-Up by running the associated Storm command. |
Some Power-ups that may be useful include:
synapse-nettools - perform live DNS and WHOIS lookups for FQDNs and IPv4 / IPv6 addresses. To access the Power-Up:
Use the right-click context menu options under actions > synapse-nettools.
Use the associated Storm commands in a query. For example:
Perform a live DNS A lookup (the default for the
nettools.dnscommand when run on FQDNs) on the FQDNvertex.link:inet:fqdn=vertex.link | nettools.dns
Perform a live DNS lookup on the FQDN
vertex.linkfor the specified DNS types:inet:fqdn=vertex.link | nettools.dns --type A AAAA CNAME NS
Perform a live WHOIS lookup on the FQDN
vertex.link:inet:fqdn=vertex.link | nettools.whois
Perform a live DNS PTR lookup (the default for the
nettools.dnscommand when run on IPv4s) on the IPv4 8.8.8.8:inet:ipv4=8.8.8.8 | nettools.dns
Perform a live WHOIS (netblock registration data) lookup on the IPv4 8.8.8.8:
inet:ipv4=8.8.8.8 | nettools.whois
Perform a live WHOIS (netblock registration data) lookup on the listed IPv6:
inet:ipv6=6:6:552b:157a:fb61:858a:5891:27a | nettools.whois
synapse-maxmind - retrieve Autonomous System (AS) and geolocation information on IPv4 / IPv6 addresses from the Maxmind database. To use the Power-Up:
Use the right-click context menu option under actions > synapse-maxmind > maxmind.
Use the associated Storm commands in a query. For example:
Perform a Maxmind lookup on IPv4 8.8.8.8:
inet:ipv4=8.8.8.8 | maxmind
Perform a Maxmind lookup on the listed IPv6:
inet:ipv6=6:6:552b:157a:fb61:858a:5891:27a | maxmind
Tip: Some Synapse Power-Ups require API keys (free or paid); The Vertex Project does not provide these. If a Power-Up requires a key and none is available, you will get an error message. You are free to obtain and configure your own keys for use on the VISI. See the Power-Up Help for individual Power-Ups for instructions on adding a key; use the |
