When browsing the web, SSL certificates are everywhere. You may only associate them with the small locks inside of your browser bar, but beyond securing your data, certificates are a great way for analysts to connect disparate network infrastructure. Modern scanning techniques allow us to perform data requests against every node on the Internet in a matter of hours, meaning we can easily associate a certificate to an IP address hosting it on a regular basis.
Much like a WHOIS record, SSL certificates require information to be supplied by the user in order to generate the final product. Aside from the domain, the SSL certificate is being created for (unless self-signed), any of the additional information can be made up by the user. As analysts, where we see the most value from SSL certificates is not necessarily the unique data someone may use when generating the certificate, but where it's hosted.
In order to access an SSL certificate, it needs to be associated with a web server and exposed through a particular port (most often 443). Using mass Internet scans on a weekly basis, it's possible to scan all IP addresses and obtain any certificate being hosted in order to build a historic repository of certificate data. Having a database of IP addresses to SSL certificate mappings provides analysts with a way to identify overlap in infrastructure.
To further illustrate this concept, imagine an actor has set up a server with a self-signed SSL certificate. After several days, defenders become wise to their infrastructure and block the webserver hosting malicious content. Instead of destroying all their hard work, the actor merely copies all the contents (including the SSL certificate) and places them on a new server. As an analyst, a connection can now be made using the unique SHA-1 value of the certificate to say that both web servers (one blocked, one unknown) are connected in some way.
What makes SSL certificates more valuable is that they are capable of making connections that passive DNS or WHOIS data may miss. This means more ways of correlating potential malicious infrastructure and identifying potential operational security failures of actors. PassiveTotal has collected over 30 million certificates from 2013 until the present day and provides analysts with the tools to make correlations on certificate content and history.
A quick overview can be found on our RiskIQ youtube.
A detailed walkthrough of how analysts can use SSL certificates in their analysis can be found on our RiskIQ blog.