Skip to content

About

Introduction

Welcome to Pivot Atlas, an educational pivoting handbook for cyber threat intelligence analysts developed by Amitai Cohen.

This website contains simple reference material for how to make the best use of various threat activity observables, such as IP addresses and file hashes. The goal is to map the pivotability of every type of artifact that analysts might encounter in the course of their investigations:

"While investigating threat activity, I found ...what can I do with it?"

       — You, possibly.

For any given observable, analysts can use this handbook to figure out what steps they should take to reveal potentially related malicious infrastructure or tooling. Every listed pivoting method can be performed using one or more tools (depending on preference or which platforms you have access to), and query examples are provided for the most commonly used tools.

Mermaid diagrams are also included for easy and clickable navigation between artifact types, as in the following example or in the full map (the diagram may take a few seconds to load in your browser if you're visiting this website for the first time):

  • Pivot Map
    flowchart LR
        classDef primary stroke-width: 2px
        classDef secondary stroke-dasharray: 5 5
    
        %% define nodes
        IP_ADDRESS(IP Address)
        DOMAIN(Domain):::primary
        DOMAIN_(Domain):::secondary
        TLS_CERT(TLS Certificate)
        SAMPLE(Sample)
    
        %% define edges
        DOMAIN -- forward DNS --> IP_ADDRESS
        IP_ADDRESS -- reverse DNS ---> DOMAIN
        DOMAIN <-- DNS history --> IP_ADDRESS
        TLS_CERT -- CN ---> DOMAIN
        DOMAIN <-- similar name ---> DOMAIN_
        DOMAIN <-- registrant ---> DOMAIN_
        DOMAIN <-- registrar --> DOMAIN_
        DOMAIN <-- NS --> DOMAIN_
        DOMAIN <-- TLD --> DOMAIN_
        DOMAIN <-- reg. time --> DOMAIN_
        DOMAIN <-- URL path --> DOMAIN_
        SAMPLE -- references ---> DOMAIN
        SAMPLE -- queries --> DOMAIN
    
        %% define links
        click TLS_CERT "/artifacts/tls-certificate"
        click IP_ADDRESS "/artifacts/ip-address"
        click DOMAIN "/artifacts/domain"
        click SAMPLE "/artifacts/sample"
    

This project is a work in progress, but in time it might serve as a comprehensive guide to pivoting. If you would like to learn more about pivoting and cyber threat intelligence, please check out the references listed above. If you would like to contribute content to this project or provide feedback, please feel free to reach out on Twitter or submit an issue or pull request here.


Frequently asked questions (FAQ)

How should I use Pivot Atlas?

  • To learn how to pivot from any given artifact, check out the Artifacts section.
  • To learn about various artifact identifier, take a look at the Fingerprints page.
  • To learn about threat intel analysts' tools of the trade, head on over to the Tools page.
  • To learn how to operationalize threat intel products and make them as impactful as possible, check out the Impact page.
  • For guidance on making the most of the pivoting process, check out the Tips page.

What's the best way to contribute to this project?

You are welcome to submit information about publicly known examples of investigations demonstrating novel or creative pivots (or anything else you've noticed may be missing from this website). You can also review the "Future plans" section of this blogpost for ideas on areas that require expansion or improvement. To contribute, you can either submit a pull request yourself or simply add an issue to the GitHub project (pull requests are preferred but issues are welcome).

Where can I learn more about pivoting?

If you'd like to learn more about pivoting in cyber threat intelligence, be sure to check out the following resources:

Where can I learn more about offensive cyber operations?

If you'd like to learn more about how threat actors operate, the following books are an excellent place to start: