Seems there is a possibility that a CA gave away duplicate certs for a GitHub domain
Could SA NetWitness help locate if any Certificates were signed by the potentially offending CA and see if this could impact your organization ?
Let's see ...
Using this post to enable full indexing on the appropriate ssl.* metakeys you could search for the CA name (in this case WoSign)
ssl.ca = WoSign
or if the CA name isnt exactly WoSign we could use this query to locate similar names and then tune the drill approriately
ssl.ca contains 'WoSign'
Then you could see all the domains (alias.host) that the certificate was used as part of the communication and see if you might be affected. You might also want to focus on outbound traffic (your users connecting to a GitHub domain with a cert signed by WoSign could be something to investigate)
From what I can see with my browser, Digicert should be the CA for GitHub
Taking this one step further, I also found there was a new function that has been spun up to track how many certs have been created for each domain. Why not create a Context Menu plugin for RSA NW to query one of these certificate transparency sites so that analysts could get additional details about the domain and certs without sharepoint + copy + paste +copy + paste
So here is the context menu item that functions on the ssl.ca, ssl.subject and alias.host metakeys
"displayName": "Google SSL Cert Transparency Check",
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.