SSL and NetWitness Part Deux - CA oopsie ?

Seems there is a possibility that a CA gave away duplicate certs for a GitHub domain

http://thehackernews.com/2016/08/github-ssl-certificate.html

Could SA NetWitness help locate if any Certificates were signed by the potentially offending CA and see if this could impact your organization ?

Let's see ...

Using this post to enable full indexing on the appropriate ssl.* metakeys you could search for the CA name (in this case WoSign)

https://community.rsa.com/community/products/netwitness/blog/2016/08/30/ssl-and-netwitness

ssl.ca = WoSign

or if the CA name isnt exactly WoSign we could use this query to locate similar names and then tune the drill approriately

ssl.ca contains 'WoSign'

Then you could see all the domains (alias.host) that the certificate was used as part of the communication and see if you might be affected.  You might also want to focus on outbound traffic (your users connecting to a GitHub domain with a cert signed by WoSign could be something to investigate)

From what I can see with my browser, Digicert should be the CA for GitHub

Taking this one step further, I also found there was a new function that has been spun up to track how many certs have been created for each domain.  Why not create a Context Menu plugin for RSA NW to query one of these certificate transparency sites so that analysts could get additional details about the domain and certs without sharepoint + copy + paste +copy + paste

https://www.google.com/transparencyreport/https/ct/#domain=www.mozilla.org&incl_exp=true&incl_sub=true

So here is the context menu item that functions on the ssl.ca, ssl.subject and alias.host metakeys

{
    "displayName": "Google SSL Cert Transparency Check",
    "cssClasses": [
        "ssl.ca",
        "ssl-ca",
        "ssl.subject",
        "ssl-subject",
        "alias.host",
        "alias-host"
    ],
    "description": "",
    "type": "UAP.common.contextmenu.actions.URLContextAction",
    "version": "1",
    "modules": [
        "investigation"
    ],
    "local": "false",
    "groupName": "externalLookupGroup",
    "urlFormat": "https://www.google.com/transparencyreport/https/ct/#domain={0}&incl_exp=true&incl_sub=true",
    "disabled": "",
    "id": "GoogleSSLCERTCHECK",
    "moduleClasses": [
        "UAP.investigation.navigate.view.NavigationPanel",
        "UAP.investigation.events.view.EventGrid"
    ],
    "openInNewTab": "true",
    "order": ""
}