Analyzing TLS Certificate Transparency Logs

What Is This

The "Analyzing TLS Certificate Transparency Logs" skill equips cybersecurity professionals with the ability to systematically investigate Certificate Transparency (CT) logs. By leveraging crt.sh and the pycrtsh Python library, this skill enables users to query, parse, and analyze records of TLS certificates issued by trusted Certificate Authorities (CAs) for any given domain. The skill is designed to support detection of phishing domains, unauthorized certificate issuance, and shadow IT activity by monitoring for certificates that mimic legitimate brands or organizational assets. It utilizes techniques such as Levenshtein distance to identify typosquatting and brand impersonation, thereby providing proactive coverage against social engineering and domain-based threats.

Why Use It

TLS certificates are a foundational component of modern web security but can also be abused by threat actors. Attackers often register lookalike domains and obtain valid TLS certificates to make their phishing sites appear trustworthy to both users and automated security tools. Monitoring CT logs is essential for organizations seeking to:

• Detect and respond to phishing campaigns impersonating their brands.
• Identify unauthorized issuance of TLS certificates for their domains, which may indicate a security breach or misconfiguration.
• Discover shadow IT or unsanctioned infrastructure set up within or outside the organization.
• Maintain compliance with security frameworks that require monitoring of certificate issuance.

By automating queries against CT logs via crt.sh and pycrtsh, this skill streamlines the detection and investigation workflow for security analysts and threat hunters.

How to Use It

This skill provides a code-driven approach to querying CT logs, focusing on domains of interest and applying logic to detect phishing and unauthorized certificates.

Prerequisites

• Python 3.8 or higher.
• The pycrtsh library installed (pip install pycrtsh).
• Access to https://crt.sh for manual investigation, if needed.
• Authorization to analyze certificates related to your organization.

Basic Usage Example

Below is a sample script to query crt.sh for certificates related to a given domain, such as example.com, and print the results:

from pycrtsh import Crtsh

## Initialize the crt.sh client
client = Crtsh()

## Query for certificates issued to example.com and its subdomains
results = client.search('%.example.com')

for cert in results:
    print(f"Issuer: {cert['issuer_name']}")
    print(f"Subject: {cert['name_value']}")
    print(f"Not Before: {cert['not_before']}")
    print(f"Not After: {cert['not_after']}")
    print(f"Serial Number: {cert['serial_number']}")
    print('-' * 40)

Detecting Typosquatting and Brand Impersonation

To detect domains that are similar to your brand, you can use the Levenshtein distance algorithm. This measures the similarity between strings and helps identify potential typosquatting attempts:

from pycrtsh import Crtsh
import Levenshtein

brand = "example"
client = Crtsh()
results = client.search('%.com')

suspicious = []
for cert in results:
    domain = cert['name_value']
    # Extract domain label for comparison
    label = domain.split('.')[0]
    if Levenshtein.distance(label, brand) <= 2:
        suspicious.append(domain)

print("Potential typosquatting domains:")
for d in suspicious:
    print(d)

This logic can be integrated into automation or SIEM workflows to generate alerts when new certificates are issued for domains similar to your brand.

Monitoring for Unauthorized Certificates

You can periodically run your queries to monitor for new certificate issuance. This helps detect certificates issued without authorization, which could signal an ongoing attack or process failure. Schedule your scripts or integrate with existing monitoring solutions to automate this process.

When to Use It

• Incident Response: When investigating phishing campaigns or suspicious domain activity, analyzing CT logs helps quickly identify malicious infrastructure.
• Threat Hunting: Security teams can proactively search for lookalike domains and unauthorized certificates that may be used in future attacks.
• Continuous Monitoring: SOC analysts should routinely monitor CT logs for their organization’s assets to ensure no unauthorized certificates are issued.
• Security Coverage Validation: When building or validating detection rules for phishing, domain abuse, or related attack techniques, this skill helps ensure comprehensive coverage.

Important Notes

• Data Scope: CT logs record all publicly issued TLS certificates but may not include private CA activity or certain legacy certificates.
• False Positives: Similar domain names may not always indicate malicious intent. Manual verification is recommended before taking action.
• Privacy and Authorization: Ensure you have authorization to monitor and investigate certificates related to your organization or scope of work.
• Rate Limits: Be mindful of crt.sh’s usage policies and rate limits, especially when automating large queries.
• Integration: This skill is most effective when integrated into a broader security monitoring and incident response program.

By leveraging the "Analyzing TLS Certificate Transparency Logs" skill, organizations can enhance their ability to detect and respond to certificate-based threats in a timely, efficient, and proactive manner.