Catch Campaigns Early: Using Certificate Transparency and Passive DNS to Hunt Malicious Infrastructure

Most campaigns reveal themselves before payloads ever land—through the infrastructure they stand up. Two high-signal, low-friction data sources—Certificate Transparency (CT) logs and passive DNS—can give analysts days or weeks of early warning without relying on sensitive tradecraft. Here’s a practical approach any SOC or case team can apply.

Why CT + Passive DNS?

• CT logs expose newly issued TLS certificates in near-real time. Attackers often mint certs for phishing domains, staging servers, or C2.
• Passive DNS shows historical and current resolutions (domain↔IP, subdomain sprawl), revealing clustering and reuse.

Correlating the two lets you spot naming patterns, cert reuse, and hosting choices that tie “new” domains to known clusters—well before widespread reporting or blocklists catch up.

Step 1: Define Simple, Safe Patterns

Start with benign heuristics that have high signal and low false positives:

• Keyword blends attackers favor (brand lookalikes, login/help/verify/pay) combined with recent CT issuance.
• Issuer/Subject anomalies (self-signed lookalikes, odd org/unit strings) that don’t match your brand’s profile.
• Cert reuse (same SHA-256 fingerprint across multiple domains) indicating a single operator’s cluster.
• Subdomain bursts (dozens spun up within hours) suggesting kit deployment.

Keep patterns generic and non-brand-specific if you’re publishing broadly. Tweak privately for your own brands, suppliers, or vertical.

Step 2: Correlate with Passive DNS

For any interesting cert or domain:

• Pivot out to related domains that share the same IP, ASN, or cert fingerprint.
• Identify subdomain sprawl under suspicious parents (e.g., mail-verify, auth-login, cdn-assets).
• Track IP hopping within the same VPS/ASN ranges; stable providers often signal operator preference.

This turns one “maybe” into a candidate cluster you can watch or act on.

Step 3: Score Risk (Keep It Transparent)

Use a lightweight score so decisions are explainable:

• Freshness (0–2): issued/seen in last 72 hours
• Pattern match (0–3): lookalike keywords, odd subject fields, subdomain bursts
• Linkage (0–3): cert reuse, shared ASN/VPS, shared IPs with known bad
• Exposure (0–2): internet-facing login pages, active MX, or open services

Treat clusters ≥6/10 as monitor/contain; ≥8/10 as block/hunt (adjust to your risk appetite).

Step 4: Turn Signals into Action

For enterprises/SOCs

• Pre-block lists: temporarily filter high-risk domains/ASNs from egress, email, or proxy layers (with review windows).
• Hunts: search DNS/TLS/SNI logs for first-seen contact to cluster IPs; look for identity anomalies (new sessions right after contact).
• Detections: alert on connections to domains sharing a cert fingerprint with a live cluster; add decay timers to auto-expire stale items.

For gov/LE teams

• Prioritize providers: rank VPS/ASN hubs that repeatedly host high-risk clusters; consider outreach or disruption leads via proper channels.
• Victim notifications: if a burst matches a known targeting pattern, notify likely victims through established processes.

Step 5: Decay and Review (Avoid Stale Lists)

Infrastructure is ephemeral. Add time-to-live (TTL) to domains, IPs, and certs:

• Domains: 14–21 days
• Cert fingerprints: 60–90 days
• ASN/provider flags: 90–120 days (unless corroborated by multiple clusters)

Re-score weekly; archive items that go quiet.

What “Good” Looks Like

• Explainable decisions: each block/hunt references clear factors (fresh CT + cert reuse + shared ASN).
• Low analyst friction: queries and watchlists are simple; no manual reverse-engineering needed.
• Measurable outcomes: fewer successful callbacks to new C2, earlier phishing blocks, faster case triage on emerging clusters.

Common Pitfalls (and Fixes)

• Over-blocking on single signals: require at least two independent linkages (e.g., cert reuse and ASN clustering).
• Ignoring decay: stale domains inflate noise—enforce TTLs.
• Brand-overfit rules: generic patterns travel better; keep sensitive brand logic in your private rules.
• No feedback loop: tag incidents with the signal source (CT/passive DNS) to show impact and refine scoring.

Takeaways

You don’t need deep secrets to get early warning. By pairing CT logs with passive DNS, and adding transparent scoring and decay, teams in both the public and private sectors can spot infrastructure as it forms, prioritize hunts and controls, and blunt campaigns before they mature—without touching sensitive tradecraft.

Do you have the tools it takes to understand who is attacking your organization and why? Ultimately, it’s the only way to know how to stop attacks. Platform Blue offers government-grade threat intelligence to the worlds most elite threat hunting organizations. Get a demo today!