This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSL and NetWitness Part Deux - CA oopsie ?

EricPartington
Employee
Employee
‎2016-09-05 07:01 AM

Seems there is a possibility that a CA gave away duplicate certs for a GitHub domain

 

http://thehackernews.com/2016/08/github-ssl-certificate.html

 

Could SA NetWitness help locate if any Certificates were signed by the potentially offending CA and see if this could impact your organization ?

 

Let's see ...

 

Using this post to enable full indexing on the appropriate ssl.* metakeys you could search for the CA name (in this case WoSign)

https://community.rsa.com/community/products/netwitness/blog/2016/08/30/ssl-and-netwitness

 

ssl.ca = WoSign

or if the CA name isnt exactly WoSign we could use this query to locate similar names and then tune the drill approriately

ssl.ca contains 'WoSign'

 

Then you could see all the domains (alias.host) that the certificate was used as part of the communication and see if you might be affected.  You might also want to focus on outbound traffic (your users connecting to a GitHub domain with a cert signed by WoSign could be something to investigate)

 

From what I can see with my browser, Digicert should be the CA for GitHub

github-ca.png

 

Taking this one step further, I also found there was a new function that has been spun up to track how many certs have been created for each domain.  Why not create a Context Menu plugin for RSA NW to query one of these certificate transparency sites so that analysts could get additional details about the domain and certs without sharepoint + copy + paste +copy + paste

 

https://www.google.com/transparencyreport/https/ct/#domain=www.mozilla.org&incl_exp=true&incl_sub=true

 

So here is the context menu item that functions on the ssl.ca, ssl.subject and alias.host metakeys

 

ssl-certifcate-transparency-context.png

 

{
    "displayName": "Google SSL Cert Transparency Check",
    "cssClasses": [
        "ssl.ca",
        "ssl-ca",
        "ssl.subject",
        "ssl-subject",
        "alias.host",
        "alias-host"
    ],
    "description": "",
    "type": "UAP.common.contextmenu.actions.URLContextAction",
    "version": "1",
    "modules": [
        "investigation"
    ],
    "local": "false",
    "groupName": "externalLookupGroup",
    "urlFormat": "https://www.google.com/transparencyreport/https/ct/#domain={0}&incl_exp=true&incl_sub=true",
    "disabled": "",
    "id": "GoogleSSLCERTCHECK",
    "moduleClasses": [
        "UAP.investigation.navigate.view.NavigationPanel",
        "UAP.investigation.events.view.EventGrid"
    ],
    "openInNewTab": "true",
    "order": ""
}

ssl-contextmenu-lookup-certificatetransparency.txt.zip
ssl-contextmenu-lookup-certificatetransparency.txt.zip
© 2022 RSA Security LLC or its affiliates. All rights reserved.