How do you know if your supplier, customer, partner, member or subsidiary is in cyber trouble? Is your organization at business risk due to unreported cyber threats? What about your subsidiary locations, members or suppliers? Can they recover from the financial losses suffered by a business interruption, financial loss or ransomware? The service notifies you of any threats in your enrolled named entities for any industry segment.
If your IP address is found in botnet tracker, it means that it was seen in a communication with a malicious endpoint. This does not automatically indicate a malware infection as there are a number of reasons why two IP addresses might communicate. The traffic should first be inspected before escalating to incident responders.
A keylogger hit means your domain or IP address appeared in a keylogger output file. This would mean one of the following things: 1) A keylogger malware is running on your network. 2) A username and password belonging to an employee was captured by a keylogger. 3) An email address was observed in clipboard data on an infected computer. For example somebody cut and paste an email address belonging to your organization. The raw source data must first be investigated to determine course of action.
If your domain or IP address shows up in this collection, it means it was observed in the header of an email that has been identified as malicious (1 or more AV detection). The raw email should be inspected to see whether it was sent to or from your organization, or if it was spoofed using your organizations data. It should be noted that some AV vendors classify emails as malicious when they are actually benign. All malicious emails hits only indicate targeting, not malware infections.
A pastebin hit simply means your information was observed in a paste on pastebin.com. There are numerous reasons information would be contained in a paste – some malicious and some benign. Each pastebin hit must be individually analyzed to determine context.
A sinkhole hit means your IP was observed in weblogs from our sinkhole server. Similar to the botnet_tracker hits, it only means that communication was observed. The nature of that communication needs to be determined from the raw sinkhole record. If the sinkhole hit is a result of a malware infection, then the information should be referred to incident responders.
Breach data hits are from public database leaks. Depending on the nature of the leaked database, exposed information may vary from just email addresses, to username and password combinations and other personally identifiable information. RedXray contains the raw breach data so you can easily see what type of data has been exposed. If the breach data contains passwords then Wapack Labs recommends enforcing a password reset and investigating whether there has been unauthorized access of the account.
Threat recon consists of both primary sourced indicators and open sourced indicators from dozens of sources. Each hit from this collection should be individually analyzed as each source has different context. Threat recon records contain references to the original source.
I received a sinkhole and/or botnet hit. What do I need to do?
There may be a legitimate reason for a sinkhole or botnet hit. For example, somebody sandboxing malware or a researcher investigating an IP address. So first try to determine if the traffic is legitimate. If it’s not, then reference any logs that can provide additional information, such as packet capture, netflow, weblogs, or system logs.
I received a keylogger hit. What do I need to do?
First you need to determine if the keylogger is running on your network. The keylogger data will list the IP address of the infected system. If the keylogger is not running on your network then you’ll need to identify the user who’s data was compromised and inform them that they may have malware on their home computer. If the keylogger hit is for a system belonging to your organization you must then determine if there has been unauthorized access using the compromised account. Password resets should also be enforced for any account listed in keylogger outputs.
I received a Pastebin hit. What do I need to do?
Pastebin hits can be any number of things from open source data, to lists of domains and IP addresses, to doxes (PII posted with malicious intent). You must first examine the raw paste in order to determine if it is something that should be addressed. In many cases, Pastebin hits are benign.
I received a Threat Recon hit. What do I need to do?
Threat Recon hits can be any number of things. It’s possible however that the hit may be from a phishing campaign that was observed by Wapack Labs. If this is the case then you must determine if your organization was affected by the campaign by inspecting web logs.