Back from FiRST Berlin, discover CIRCL Passive SSL

Hello Security Ninjas,

recently Splunk took part in the FIRST 2015 conference, a conference dedicated to CERTs, Incident Responders and Security Teams. Many of the attendees shared with us that they are using Splunk regularly for security use cases and this is great to hear!

One of the notable presentations was from Alexandre Dulaunoy from the CIRCL (Computer Incident Response Center Luxembourg) and Eireann Leverett from the Cambridge Centre for Risk Studies.

Security analysts across the world are nowadays familiar with the Passive DNS technique that allows DNS information to be collected passively, just by listening to DNS requests in and out of a network. The idea Alexandre and Eireann came up with was to apply similar techniques to SSL/TLS certificates so they can keep track of certificates and their association over time.


What is the challenge for security analysts?

Alexandre and Eireann explained that it’s often hard for security analysts to find owners of IP addresses or detect the usage of CIDR blocks. Additionally, identifying vulnerable systems passively without intrusive scanning is hard and almost required to efficiently identify systems after a certificate has been compromised.

How to overcome the challenge?

SSL certificates often have very detailed descriptions, for example the owner of the service, and from this you can find out who is the right organization to contact/inform. During their presentation, Alexandre and Eireann mentioned the case of the malware Dyre. They explained that starting with IP addresses contacted by the malware (C&C), they observed that different IPs where using the very same self-signed certificate. In that case, before spreading, the malware owner(s) compromised domestic routers and transformed them as SSL proxy for the malware.

Here’s an example from the CIRCL presentation that shows detailed certificate information.

Security Perspective of X.509 Certificates

Where to get the information from IP to SSL Certificate mapping?

To avoid everyone scanning the whole IPv4 address range and creating their own large database of certificates, the CIRCL offers access via a REST-API to their database, which keeps a history of X.509 certificates seen per IP address. The service is called CIRCL Passive SSL and it except as input an IP address or a CIDR block and return the corresponding certificates.

How to integrate in Splunk?

Our Security Practice Team at Splunk decided to pick this topic up and created for the community a free integration into Splunk. You can download and use the “Passive SSL” App from Splunkbase. That app gives you additional context to a given public IP address or a CIDR block during your investigation and allows you to identify the system owner faster or perform further correlations based on certificate information.

Happy Splunking,