About
Introduction
Welcome to Pivot Atlas, an educational pivoting handbook for cyber threat intelligence analysts developed by Amitai Cohen.
This website contains simple reference material for how to make the best use of various threat activity observables, such as IP addresses and file hashes. The goal is to map the pivotability of every type of artifact that analysts might encounter in the course of their investigations:
— You, possibly.
For any given observable, analysts can use this handbook to figure out what steps they should take to reveal potentially related malicious infrastructure or tooling. Every listed pivoting method can be performed using one or more tools (depending on preference or which platforms you have access to), and query examples are provided for the most commonly used tools.
Mermaid diagrams are also included for easy and clickable navigation between artifact types, as in the following example or in the full map (the diagram may take a few seconds to load in your browser if you're visiting this website for the first time):
- Pivot Map
flowchart LR classDef primary stroke-width: 2px classDef secondary stroke-dasharray: 5 5 %% define nodes IP_ADDRESS(IP Address) DOMAIN(Domain):::primary DOMAIN_(Domain):::secondary TLS_CERT(TLS Certificate) SAMPLE(Sample) %% define edges DOMAIN -- forward DNS --> IP_ADDRESS IP_ADDRESS -- reverse DNS ---> DOMAIN DOMAIN <-- DNS history --> IP_ADDRESS TLS_CERT -- CN ---> DOMAIN DOMAIN <-- similar name ---> DOMAIN_ DOMAIN <-- registrant ---> DOMAIN_ DOMAIN <-- registrar --> DOMAIN_ DOMAIN <-- NS --> DOMAIN_ DOMAIN <-- TLD --> DOMAIN_ DOMAIN <-- reg. time --> DOMAIN_ DOMAIN <-- URL path --> DOMAIN_ SAMPLE -- references ---> DOMAIN SAMPLE -- queries --> DOMAIN %% define links click TLS_CERT "/artifacts/tls-certificate" click IP_ADDRESS "/artifacts/ip-address" click DOMAIN "/artifacts/domain" click SAMPLE "/artifacts/sample"
This project is a work in progress, but in time it might serve as a comprehensive guide to pivoting. If you would like to learn more about pivoting and cyber threat intelligence, please check out the references listed above. If you would like to contribute content to this project or provide feedback, please feel free to reach out on Twitter or submit an issue or pull request here.
Frequently asked questions (FAQ)
How should I use Pivot Atlas?
- To learn how to pivot from any given artifact, check out the Artifacts section.
- To learn about various artifact identifier, take a look at the Fingerprints page.
- To learn about threat intel analysts' tools of the trade, head on over to the Tools page.
- To learn how to operationalize threat intel products and make them as impactful as possible, check out the Impact page.
- For guidance on making the most of the pivoting process, check out the Tips page.
What's the best way to contribute to this project?
You are welcome to submit information about publicly known examples of investigations demonstrating novel or creative pivots (or anything else you've noticed may be missing from this website). You can also review the "Future plans" section of this blogpost for ideas on areas that require expansion or improvement. To contribute, you can either submit a pull request yourself or simply add an issue to the GitHub project (pull requests are preferred but issues are welcome).
Where can I learn more about pivoting?
If you'd like to learn more about pivoting in cyber threat intelligence, be sure to check out the following resources:
- Formulating a Robust Pivoting Methodology by Joe Slowik
- Pivoting from Art to Science by Joe Slowik
- A Cyber Threat Intelligence Self-Study Plan by Katie Nickels
- A Beginner’s Guide to Tracking Malware Infrastructure by Embee Research
- Visual Threat Intelligence by Thomas Roccia
Where can I learn more about offensive cyber operations?
If you'd like to learn more about how threat actors operate, the following books are an excellent place to start: