SlideShare a Scribd company logo

PHDAYS: DGAs and Threat Intelligence

Download as PPTX, PDF
John Bambenek
John Bambenek

The document discusses domain generation algorithms (DGAs) used in malware command and control networks and how they have evolved over time. It provides examples of specific DGAs like Conficker, Cryptolocker, and Tinba. It also describes how intelligence can be gathered on DGAs by reverse engineering them, monitoring generated domains for resolutions, and tracking associated IP addresses and nameservers. The goal of DGAs from an adversary perspective is to increase the resilience of command and control structures against takedowns.

Internet
1 of 53
DGAs and Threat Intelligence JOHN BAMBENEK, BAMBENEK CONSULTING PHDAYS V
Intro  President and Chief Forensic Examiner for Bambenek Consulting  Adjunct Faculty in CS Department at the University of Illinois at Urbana-Champaign  Producer of open-source intel feeds  Work with companies and LE all over the world to address growth in cybercrime
About Threat Intelligence  Information is a set of unprocessed data that may or may not contain actionable intelligence.  Intelligence is the art of critically examining information to draw meaningful and actionable conclusions based on observations and information.
About Threat Intelligence  Many “threat intelligence” companies drown their customers with information.  Few actually process that information to find intelligence.  Involves analyzing adversary capabilities, intentions and motivations.
Why does this matter?  Reverse engineering malware, finding a DGA and resolving all the domains gives you useful information.  Knowing how and why an adversary makes the decisions they do can lead to more successful operations.  Knowing how to distinguish between signal and the large amount of noise in doing this is key.
Adversarial objectives  Here we are generally talking about organized crime, usually financially motivated.  What we know:  Highly rational actors  Hierarchical organizational structure, potentially siloed  May hire “outside experts” for specific tasks  Generally technological sophisticated  Desire to remain “quiet”  Desire to remain resilient over the long-term
A History of Malware C2 Networks  An adversary wants to persist over the long-term and make their networks more resilient against enforcement actions.  Domains tend to be easier to take down the IPs due to avoidance of jurisdictional issues.  Development over time will largely show adversaries have acted in ways to ensure increased resiliency.  We can continue to map forward over time where they are likely to go in the future as a result.
Static IP/Host lists  In the beginning there were static domain or IP lists. Sometimes only one, many times several.  Domains tend to be easier to take down the IPs due to avoidance of jurisdictional issues.  Adversarial response: Increase number of domains and diversity jurisdictions and service providers.
Proxies  The addition of proxies added a new element.  A domain or IP seizure COULD still sever control but it would not inherently lead to loss of already stolen data.  Our response: Usually less enthusiastic to take down domains and IPs because what is on “back end” server is most valuable.
Dynamic DNS  Then there was dynamic dns (dyndns, no-ip, 3322.org, etc)  Allowed for rapidly changing IP address but still tied to a DNS zone.  Still in use, especially for lower end crime and some espionage operations.
Fast Flux  Fast Flux domains use multiple A records with short TTL to create rolling lists of (usually) proxies to maintain control.  Seize a machine, victim happily moves on to the next controller.  Sometimes (but not always) defined “networks” of fast flux nodes. Occasionally just compromised machines.
Fast Flux  Fast flux example: divewithsharks.hk. 1800 IN A 70.68.187.xxx [xxx.vf.shawcable.net] divewithsharks.hk. 1800 IN A 76.209.81.xxx [SBIS-AS - AT&T Internet Services] divewithsharks.hk. 1800 IN A 85.207.74.xxx [adsl-ustixxx-74-207-85.bluetone.cz] divewithsharks.hk. 1800 IN A 90.144.43.xxx [d90-144-43-xxx.cust.tele2.fr] divewithsharks.hk. 1800 IN A 142.165.41.xxx [142-165-41-xxx.msjw.hsdb.sasknet.sk.ca]  Even though A records are resilient, the domain is still controlling and if you can seize the name-servers the botnet is decapitated.
Double Flux  Evolution of Fast Flux with has short TTLs for name servers as well.  This makes the controlling services more resilient too.  Still can seize domain(s) and the botnet is decapitated.
Double Flux example ns1.myheroisyourslove.hk.854 IN A 70.227.218.xxx [ppp-70-227-218-xxx.dsl.sfldmi.ameritech.net] ns2.myheroisyourslove.hk.854 IN A 70.136.16.xxx [adsl-70-136-16-xxx.dsl.bumttx.sbcglobal.net] ns3.myheroisyourslove.hk. 854 IN A 68.59.76.xxx [c-68-59-76-xxx.hsd1.al.comcast.net] ns4.myheroisyourslove.hk. 854 IN A 70.126.19.xxx [xxx-19.126-70.tampabay.res.rr.com] ns5.myheroisyourslove.hk. 854 IN A 70.121.157.xxx [xxx.157.121.70.cfl.res.rr.com] Some time later: ns1.myheroisyourslove.hk. 3596 IN A 75.67.15.xxx [c-75-67-15-xxx.hsd1.ma.comcast.net] ns2.myheroisyourslove.hk. 3596 IN A 75.22.239.xxx [adsl-75-22-239-xxx.dsl.chcgil.sbcglobal.net] ns3.myheroisyourslove.hk. 3596 IN A 75.33.248.xxx [adsl-75-33-248-xxx.dsl.chcgil.sbcglobal.net] ns4.myheroisyourslove.hk. 180 IN A 69.238.210.xxx [ppp-69-238-210-xxx.dsl.irvnca.pacbell.net] ns5.myheroisyourslove.hk. 3596 IN A 70.64.222.xxx [xxx.mj.shawcable.net]
Double Flux  Important note, while the IP addresses change frequently, you can still disrupt the network by domain seizure.  Might not recover data but no future loss would occur.
Introduction of tor / i2p hidden services  Involves the use of anonymization technologies to hide where the infrastructure actually is.  Very hard to takedown without cooperation of privacy networks which is unlikely to happen.  Our response: Most organizations can block tor / i2p, consumers still vulnerable.
Domain Generation Algorithms  Usually a complex math algorithm to create pseudo- random but predictable domain names.  Now instead of a static list, you have a dynamic list of hundreds or thousands of domains and adversary only needs to have a couple registered at a time.  Can shop registrars to avoid suspension.
Use of Multiple Techniques  The most resilient malware C2 use multiple methods of callback.  Static Lists  DGAs  Tor/I2P  If one or two are blocked, still able to control machine.
Reverse Engineering DGAs  Many blog posts about reversing specific DGAs, Johannes Bader has the most online at his blog:  Johannesbader.ch  No real shortcuts except working through IDA/Debugger and reversing the function.  Look for functions that iterate many times.  There will be at least a function to generate the domains and a function to connect to all of them to find the C2.  As with all reverse engineering, be aware of obfuscation and decoy code meant to deceive you.
Reversing DGAs Example From http://johannesbader.ch/2015/05/the-dga-of-ranbyus/
Types of DGAs  Almost all DGAs use some time of “Seed”.  Types:  Date-based  Static seed  Dynamic seed  Seed has to be globally consistent so all victims use the same one at the same time.
Other DGA Hardening Techniques  Choice of gTLD matters.  Some doing have WHOIS protection, make it hard to sinkhole  Rotation of seeds  Some malware has rudimentary “sinkhole awareness”  Adversarial objectives: Maintain control, limit surveillance
Examples of select DGAs - Conficker  Used PNRG with date seed to generate domains.  A and B created 250 domains across 5 and 8 gTLDs.  C and D upped this to 50,000 across 140 gTLDs in response to registries banning the use of conficker DGA domains.
Examples of select DGAs - Cryptolocker  Used 1000 domains a day across 7 gTLDs. Order domains are queries in based on GetTickCount()  Eerily similar to DGA described in Wikipedia article on DGAs.  Used previously by Flashback OSX Worm.  Never changed during the life of the malware campaign.  Successfully taken down in June 2014.  Special thanks to Vladimir Kropotov for his help on this!
Examples of select DGAs - Cryptolocker  Intel conclusions:  Likely written by a third party.  Went days without a domain registered, actor wanted to get paid but wasn’t overly concerned about keeping everything going 24x7.  Tended not to shift registrar even after domains were suspended.  Likely didn’t monitor his own domains because the ratio of malicious to sinkholed domains was about 1:125.  Way to go on the OPSEC good guys. D
Examples of select DGAs - Tinba  Generated 1,000 domains a day, not date-seeded.  Seeded by an initial hostname and a defined gTLD.  Change seeds often and tends to update already infected machines.  At least sinkholing tended to be ineffective for more than a few days.
Examples of select DGAs - Tinba  Intelligence conclusions:  These guys care about their infrastructure.  Likely they are actively monitoring to see when their DGA is cracked and adapting accordingly.  Likely they wrote DGA with this kind of flexibility in mind.
Examples of select DGAs - Bedep  Uses a dynamic seed – currency exchange values for foreign currency  European Central Bank produces daily feeds of the rates, this is used as source data.  Impossible to predict in advance even though code to generate the domains is publicly available.  http://asert.arbornetworks.com/bedeps-dga-trading-foreign-exchange-for- malware-domains/
Examples of select DGAs - Bedep  To date, all successful takedowns (and for that matter unsuccessful takedowns) seized malicious DGA domains in advance while simultaneously suspending current domains.  This would decapitate a botnet if and only if there was no fallback mechanism to reach the C2 (i.e. tor).  How can you do this for Bedep when you don’t know future currency values?  Intelligence conclusion: this is obviously an intentional choice.
What the use of DGAs give the good guys  Easy ability to sinkhole unused DGA domains to gather additional intelligence.  Easier ability to do bulk takedowns.  *IF* you can predict domains in advance.  The ability to surveil malicious infrastructure in near real- time.
What the use of DGAs give the good guys  The use of DNS in malware severely limits the ability of the adversary to play games.  The need the world to be able to find their infrastructure in order to control victim machines.  Even when DGA changes, the adversary **tends** not to immediately change their infrastructure too.  Allows for the use of passive DNS to see the extent of DGA changes.
Sinkholing  Many security companies do this.  Many want to hide the fact they do this.  Most adversaries aren’t stupid enough to not notice.  Remember, Cryptolocker we had 125 or so sinkholed domain for every 1 malicious domain.
Feed generation on DGAs ndsonjcyllala.com,Domain used by Cryptolocker - Flashback DGA for 22 May 2015 gwhdgqvghqbre.net,Domain used by Cryptolocker - Flashback DGA for 22 May 2015 tsgqxijpaiegf.biz,Domain used by Cryptolocker - Flashback DGA for 22 May 2015 hbweraesinrfg.ru,Domain used by Cryptolocker - Flashback DGA for 22 May 2015 uwvrjrrcbfutx.org,Domain used by Cryptolocker - Flashback DGA for 22 May 2015 kgmbjjfiktile.co.uk,Domain used by Cryptolocker - Flashback DGA for 22 May 2015 xclobbsrdllaf.info,Domain used by Cryptolocker - Flashback DGA for 22 May 2015 From here you could easily feed this into RPZ or other technology to protect your organization. But we want more.
How to set up surveillance on a DGA  Easy to set up with shell scripting and a non-t1.micro AWS instance.  Requires GNU parallel and adns-tools to handle bulk DNS queries.
DGA surveillance  Pre-generate all domains 2 days before to 2 days in future.  Pipe all those domains into adnshost using parallel to limit the number of lines.  Able to process over 200,000 domains inside 10 minutes (and I’m not done optimizing).
Tinba DGA feed example bbqfwypsbwjt.com,Domain used by tinba,2015-05-24 19:40 bfoxyvqtolmn.com,Domain used by tinba,2015-05-24 19:40 biygihojbxhs.com,Domain used by tinba,2015-05-24 19:40 bvhtdpnqpeur.com,Domain used by tinba,2015-05-24 19:40 cbjedxmjsxyv.ru,Domain used by tinba,2015-05-24 19:40 cdtpxpsdxgkp.com,Domain used by tinba,2015-05-24 19:40 cniuybkgxelo.com,Domain used by tinba,2015-05-24 19:40 This is active not-known-sinkhole domains current resolving.
A note on intelligence bias  How we look at threats and what we tend to do with information will affect how we gather intel and how we process it.  I tend to be involved in takedowns so I am generally uninterested in sinkholes.  If you protect an organization, however, you care about your client machines reaching out to sinkholes because they are still infected.
Tinba IP list 46.30.41.102,IP used by tinba C&C,2015-05-24 19:40 54.72.9.51,IP used by tinba C&C,2015-05-24 19:40 91.233.244.102,IP used by tinba C&C,2015-05-24 19:40 95.163.121.201,IP used by tinba C&C,2015-05-24 19:40 130.211.70.150,IP used by tinba C&C,2015-05-24 19:40 151.248.123.41,IP used by tinba C&C,2015-05-24 19:40 Seems like a good list to firewall… More on that in a moment.
Should also check NS info too 54.75.226.194,Nameserver IP used by tinba C&C,2015-05-24 19:46 54.75.227.14,Nameserver IP used by tinba C&C,2015-05-24 19:46 64.87.16.156,Nameserver IP used by tinba C&C,2015-05-24 19:46 67.195.1.92,Nameserver IP used by tinba C&C,2015-05-24 19:46 69.64.74.153,Nameserver IP used by tinba C&C,2015-05-24 19:46 77.247.183.137,Nameserver IP used by tinba C&C,2015-05-24 19:46
Should also check NS info too dns1.webdrive.ru,Nameserver used by tinba C&C,2015-05-24 19:46 dns2.sitenewdns1.ru,Nameserver used by tinba C&C,2015-05-24 19:46 dns2.webdrive.ru,Nameserver used by tinba C&C,2015-05-24 19:46 dns3.sitenewdns1.ru,Nameserver used by tinba C&C,2015-05-24 19:46 With these two data points you can usually quickly validate what is a sinkhole and what is likely malicious and bears further investigation.
DGA Surveillance  Looking at those four data points you now have solid information to make decisions based on the data.  You could block domains/IPs.  You could block nameservers (some times).
Adversarial Response  Adversaries know we are doing this.  In response:  They change seeds frequently  They have non-DGA communication mechanisms  They engage in counterintelligence
Counterintelligence  The tactics by which an adversary thwarts attempts to gather information on itself.  Remember the domain and IP lists before?  What if an adversary registers domains that they aren’t using?
Counterintelligence – or worse version  What if adversary knows you pump your IP lists directly into your firewall (and I know people do this with my feeds)?  Anyone recognize these IP addresses? 198.41.0.4 192.228.79.201 192.33.4.12 199.7.91.13 192.203.230.10 192.5.5.241 192.112.36.4 128.63.2.53 192.36.148.17 192.58.128.30 193.0.14.129 199.7.83.42 202.12.27.33
Counterintelligence – or worse version  Taking action on information without analysis is generally a bad idea, especially when the information is under the complete control of the adversary.  This is why intelligence analysis is so important.  (I whitelisted the root servers after I noticed an adversary tried to do an attack similar to this.)
Whois Registrar Intel  Often actors may re-use registrant information across different campaigns. There may be other indicators too.  Sometimes *even with WHOIS privacy protection* it may be possible to correlate domains and by extension the actor.  Most criminal prosecution in cybercrime is due to an OPSEC fail and the ability to map backwards in time of what the actor did to find that fail that exposes them.
Surveillance is nice, what about notification?  Creation of feeds and intake is still a passive tactic.  It is all possible to automate notifications when key changes happen to allow for more near-time actions.  This uses the Pushover application (Apple and Google stores) which has a very simple API.
New Dyre domain registered
New Matsnu domains registered
Pivoting  Now that I know the-fancastar.com and seedwisdonn.com serve NS for Matsnu, I can see what else is served by those nameservers to find additional intelligence.  Caution is due, this may not always yield results and may yield false positives. Always correlate with something else before making a final judgement.
Last adversarial response  Starting to see sinkhole-aware malware.  Some malware always authenticated the C2, but sinkholes still could gather intel.  Now malware is being written to attempt to bypass sinkholes altogether.
The Future?  DGAs will be around for awhile as part of several methods of communication to victim machines.  Tor/I2P will continue to be used because of its advantages but DGAs still needed due to ease of blocking tor.  Increase in the use of “interesting” dynamic seeds.
Questions? Thanks PHDays V! My feeds: osint.bambenekconsulting.com/feeds/ jcb@bambenekconsulting.com www.bambenekconsulting.com +1 312 425 7225

Recommended

HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceJohn Bambenek
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksJohn Bambenek
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSThotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSJohn Bambenek
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseJohn Bambenek
 
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersHITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersJohn Bambenek
 
THOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesTHOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesJohn Bambenek
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoJohn Bambenek
 

Recommended

HITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceHITCON 2015 - DGAs, DNS and Threat Intelligence
HITCON 2015 - DGAs, DNS and Threat IntelligenceJohn Bambenek
 
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksJohn Bambenek
 
ANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleANALYZE'15 - Bulk Malware Analysis at Scale
ANALYZE'15 - Bulk Malware Analysis at ScaleJohn Bambenek
 
Thotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSThotcon 0x5 - Retroactive Wiretapping VPN over DNS
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSJohn Bambenek
 
SANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseSANSFIRE18: War Stories on Using Automated Threat Intelligence for Defense
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseJohn Bambenek
 
HITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersHITCON 2017: Building a Public RPZ Service to Protect the World's Consumers
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersJohn Bambenek
 
THOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesTHOTCON - The War over your DNS Queries
THOTCON - The War over your DNS QueriesJohn Bambenek
 
Defcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoDefcon Crypto Village - OPSEC Concerns in Using Crypto
Defcon Crypto Village - OPSEC Concerns in Using CryptoJohn Bambenek
 
Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesJohn Bambenek
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"Christiaan Beek
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceChristopher Gerritz
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE - ATT&CKcon
 
"There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow""There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow"Christiaan Beek
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublinDerek King
 
Umbrella for MSPs: Enterprise Grade Malware Protection & Containment
Umbrella for MSPs: Enterprise Grade Malware Protection & ContainmentUmbrella for MSPs: Enterprise Grade Malware Protection & Containment
Umbrella for MSPs: Enterprise Grade Malware Protection & ContainmentOpenDNS
 
Shamoon
ShamoonShamoon
ShamoonShakacon
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacksCyber Security Alliance
 
Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)Nate Lawson
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCanSecWest
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsStandardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsOpenDNS
 
2013 the current methodologies for apt malware traffic detection
2013 the current methodologies for apt malware traffic detection2013 the current methodologies for apt malware traffic detection
2013 the current methodologies for apt malware traffic detectionCanaan Kao
 
2012 the botnet traffic forensics system
2012 the botnet traffic forensics system2012 the botnet traffic forensics system
2012 the botnet traffic forensics systemCanaan Kao
 

More Related Content

What's hot

Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesJohn Bambenek
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"Christiaan Beek
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defenseChristiaan Beek
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceChristopher Gerritz
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE - ATT&CKcon
 
"There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow""There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow"Christiaan Beek
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseAndrew Morris
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X WayStephan Borosh
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshopArpan Raval
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublinDerek King
 
Umbrella for MSPs: Enterprise Grade Malware Protection & Containment
Umbrella for MSPs: Enterprise Grade Malware Protection & ContainmentUmbrella for MSPs: Enterprise Grade Malware Protection & Containment
Umbrella for MSPs: Enterprise Grade Malware Protection & ContainmentOpenDNS
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacksCyber Security Alliance
 
Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)Nate Lawson
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCanSecWest
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsStandardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsOpenDNS
 

What's hot (20)

Corporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing FeloniesCorporate Espionage without the Hassle of Committing Felonies
Corporate Espionage without the Hassle of Committing Felonies
 
"Giving the bad guys no sleep"
"Giving the bad guys no sleep""Giving the bad guys no sleep"
"Giving the bad guys no sleep"
 
Offensive malware usage and defense
Offensive malware usage and defenseOffensive malware usage and defense
Offensive malware usage and defense
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home Workforce
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
 
"There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow""There's a pot of Bitcoins behind the ransomware rainbow"
"There's a pot of Bitcoins behind the ransomware rainbow"
 
GreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To NoiseGreyNoise - Lowering Signal To Noise
GreyNoise - Lowering Signal To Noise
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
Cyber Threat hunting workshop
Cyber Threat hunting workshopCyber Threat hunting workshop
Cyber Threat hunting workshop
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublin
 
Umbrella for MSPs: Enterprise Grade Malware Protection & Containment
Umbrella for MSPs: Enterprise Grade Malware Protection & ContainmentUmbrella for MSPs: Enterprise Grade Malware Protection & Containment
Umbrella for MSPs: Enterprise Grade Malware Protection & Containment
 
Shamoon
ShamoonShamoon
Shamoon
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 
Understanding the fundamentals of attacks
Understanding the fundamentals of attacksUnderstanding the fundamentals of attacks
Understanding the fundamentals of attacks
 
Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)
 
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
 
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsStandardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
 

Viewers also liked

2013 the current methodologies for apt malware traffic detection
2013 the current methodologies for apt malware traffic detection2013 the current methodologies for apt malware traffic detection
2013 the current methodologies for apt malware traffic detectionCanaan Kao
 
2012 the botnet traffic forensics system
2012 the botnet traffic forensics system2012 the botnet traffic forensics system
2012 the botnet traffic forensics systemCanaan Kao
 
Some things before network attack
Some things before network attackSome things before network attack
Some things before network attackCanaan Kao
 
2010 b5 spam source detection at home
2010 b5 spam source detection at home2010 b5 spam source detection at home
2010 b5 spam source detection at homeCanaan Kao
 
Malware classification and traceability
Malware classification and traceabilityMalware classification and traceability
Malware classification and traceabilityCanaan Kao
 
Some things about LAN device detection
Some things about LAN device detectionSome things about LAN device detection
Some things about LAN device detectionCanaan Kao
 
Advanced heap exploitaion
Advanced heap exploitaionAdvanced heap exploitaion
Advanced heap exploitaionAngel Boy
 
Malware classification and detection
Malware classification and detectionMalware classification and detection
Malware classification and detectionChong-Kuan Chen
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程Weber Tsai
 
資安人員如何協助企業面對層出不窮的資安威脅
資安人員如何協助企業面對層出不窮的資安威脅 資安人員如何協助企業面對層出不窮的資安威脅
資安人員如何協助企業面對層出不窮的資安威脅 Tim Hsu
 

Viewers also liked (10)

2013 the current methodologies for apt malware traffic detection
2013 the current methodologies for apt malware traffic detection2013 the current methodologies for apt malware traffic detection
2013 the current methodologies for apt malware traffic detection
 
2012 the botnet traffic forensics system
2012 the botnet traffic forensics system2012 the botnet traffic forensics system
2012 the botnet traffic forensics system
 
Some things before network attack
Some things before network attackSome things before network attack
Some things before network attack
 
2010 b5 spam source detection at home
2010 b5 spam source detection at home2010 b5 spam source detection at home
2010 b5 spam source detection at home
 
Malware classification and traceability
Malware classification and traceabilityMalware classification and traceability
Malware classification and traceability
 
Some things about LAN device detection
Some things about LAN device detectionSome things about LAN device detection
Some things about LAN device detection
 
Advanced heap exploitaion
Advanced heap exploitaionAdvanced heap exploitaion
Advanced heap exploitaion
 
Malware classification and detection
Malware classification and detectionMalware classification and detection
Malware classification and detection
 
TDOH x 台科 pwn課程
TDOH x 台科 pwn課程TDOH x 台科 pwn課程
TDOH x 台科 pwn課程
 
資安人員如何協助企業面對層出不窮的資安威脅
資安人員如何協助企業面對層出不窮的資安威脅 資安人員如何協助企業面對層出不窮的資安威脅
資安人員如何協助企業面對層出不窮的資安威脅
 

Similar to PHDAYS: DGAs and Threat Intelligence

Malware vs Big Data
Malware vs Big DataMalware vs Big Data
Malware vs Big DataFrank Denis
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...OpenDNS
 
DDoS Falcon_Tech_Specs-Haltdos
DDoS Falcon_Tech_Specs-HaltdosDDoS Falcon_Tech_Specs-Haltdos
DDoS Falcon_Tech_Specs-HaltdosHaltdos
 
DDoS mitigation in the real world
DDoS mitigation in the real worldDDoS mitigation in the real world
DDoS mitigation in the real worldMichael Renner
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and RiskSukbum Hong
 
Cómo mejorar la seguridad de los servicios de DNS, DHCP e IPAM
Cómo mejorar la seguridad de los servicios de DNS, DHCP e IPAMCómo mejorar la seguridad de los servicios de DNS, DHCP e IPAM
Cómo mejorar la seguridad de los servicios de DNS, DHCP e IPAMMundo Contact
 
Denial of services : limiting the threat
Denial of services : limiting the threatDenial of services : limiting the threat
Denial of services : limiting the threatSensePost
 
Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)Andreas Taudte
 
DNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS ProtectionDNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS ProtectionImperva Incapsula
 
Cybersecurity breakfast tour 2013 (1)
Cybersecurity breakfast tour 2013 (1)Cybersecurity breakfast tour 2013 (1)
Cybersecurity breakfast tour 2013 (1)Infradata
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolJisc
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleGuardicore
 
Network security monitoring elastic webinar - 16 june 2021
Network security monitoring elastic webinar - 16 june 2021Network security monitoring elastic webinar - 16 june 2021
Network security monitoring elastic webinar - 16 june 2021Mouaz Alnouri
 
Denial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewDenial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewMarketingArrowECS_CZ
 
Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Alexander Kot
 
DNS Security, is it enough?
DNS Security, is it enough? DNS Security, is it enough?
DNS Security, is it enough? Zscaler
 
PLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr Wojciechowski
PLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr WojciechowskiPLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr Wojciechowski
PLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr WojciechowskiPROIDEA
 
M4 internet systems & applications I
M4 internet systems & applications IM4 internet systems & applications I
M4 internet systems & applications IJosep Bardallo
 

Similar to PHDAYS: DGAs and Threat Intelligence (20)

Malware vs Big Data
Malware vs Big DataMalware vs Big Data
Malware vs Big Data
 
Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018Atelier Technique CISCO ACSS 2018
Atelier Technique CISCO ACSS 2018
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
 
DDoS Falcon_Tech_Specs-Haltdos
DDoS Falcon_Tech_Specs-HaltdosDDoS Falcon_Tech_Specs-Haltdos
DDoS Falcon_Tech_Specs-Haltdos
 
DDoS mitigation in the real world
DDoS mitigation in the real worldDDoS mitigation in the real world
DDoS mitigation in the real world
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and Risk
 
Cómo mejorar la seguridad de los servicios de DNS, DHCP e IPAM
Cómo mejorar la seguridad de los servicios de DNS, DHCP e IPAMCómo mejorar la seguridad de los servicios de DNS, DHCP e IPAM
Cómo mejorar la seguridad de los servicios de DNS, DHCP e IPAM
 
Denial of services : limiting the threat
Denial of services : limiting the threatDenial of services : limiting the threat
Denial of services : limiting the threat
 
Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)
 
DNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS ProtectionDNS and Infrastracture DDoS Protection
DNS and Infrastracture DDoS Protection
 
Cybersecurity breakfast tour 2013 (1)
Cybersecurity breakfast tour 2013 (1)Cybersecurity breakfast tour 2013 (1)
Cybersecurity breakfast tour 2013 (1)
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security tool
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at Scale
 
Network security monitoring elastic webinar - 16 june 2021
Network security monitoring elastic webinar - 16 june 2021Network security monitoring elastic webinar - 16 june 2021
Network security monitoring elastic webinar - 16 june 2021
 
9534715
95347159534715
9534715
 
Denial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewDenial of Service - Service Provider Overview
Denial of Service - Service Provider Overview
 
Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.Bsides Tampa Blue Team’s tool dump.
Bsides Tampa Blue Team’s tool dump.
 
DNS Security, is it enough?
DNS Security, is it enough? DNS Security, is it enough?
DNS Security, is it enough?
 
PLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr Wojciechowski
PLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr WojciechowskiPLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr Wojciechowski
PLNOG16: DDOS SOLUTIONS – CUSTOMER POINT OF VIEW, Piotr Wojciechowski
 
M4 internet systems & applications I
M4 internet systems & applications IM4 internet systems & applications I
M4 internet systems & applications I
 

More from John Bambenek

I'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the NazisI'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the NazisJohn Bambenek
 
MISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware SurveillanceMISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware SurveillanceJohn Bambenek
 
SANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political BreachesSANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political BreachesJohn Bambenek
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016John Bambenek
 
Blackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareBlackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareJohn Bambenek
 
IESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekIESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekJohn Bambenek
 
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014John Bambenek
 
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...John Bambenek
 
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011John Bambenek
 
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...John Bambenek
 

More from John Bambenek (10)

I'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the NazisI'm All Up in Your Blockchain - Hunting Down the Nazis
I'm All Up in Your Blockchain - Hunting Down the Nazis
 
MISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware SurveillanceMISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
MISP Summit 2018: Barncat: Using MISP for Bulk Malware Surveillance
 
SANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political BreachesSANSFIRE - Elections, Deceptions and Political Breaches
SANSFIRE - Elections, Deceptions and Political Breaches
 
Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016Tracking Exploit Kits - Virus Bulletin 2016
Tracking Exploit Kits - Virus Bulletin 2016
 
Blackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of RansomwareBlackhat USA 2014 - The New Scourge of Ransomware
Blackhat USA 2014 - The New Scourge of Ransomware
 
IESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John BambenekIESBGA 2014 Cybercrime Seminar by John Bambenek
IESBGA 2014 Cybercrime Seminar by John Bambenek
 
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014
 
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
Cybercrime and Computer Forensics Seminar - Chicago Bar Association CLE May 2...
 
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
Cybercrime & Computer Forensics - ISBA Master Series CLE, Nov 18, 2011
 
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
Introduction to Computer Crime - John Bambenek talk to Champaign Seniors Poli...
 

Recently uploaded

( Pune ) VIP Pimpri Chinchwad Call Girls 🎗️ 9352988975 Sizzling | Escorts | G...
( Pune ) VIP Pimpri Chinchwad Call Girls 🎗️ 9352988975 Sizzling | Escorts | G...( Pune ) VIP Pimpri Chinchwad Call Girls 🎗️ 9352988975 Sizzling | Escorts | G...
( Pune ) VIP Pimpri Chinchwad Call Girls 🎗️ 9352988975 Sizzling | Escorts | G...nilamkumrai
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...Neha Pandey
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdfMatthew Sinclair
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLimonikaupta
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...Escorts Call Girls
 
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts ServiceReal Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts ServiceEscorts Call Girls
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Call Girls in Nagpur High Profile
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftAanSulistiyo
 
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...SUHANI PANDEY
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Delhi Call girls
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查ydyuyu
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445ruhi
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirtrahman018755
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...SUHANI PANDEY
 

Recently uploaded (20)

( Pune ) VIP Pimpri Chinchwad Call Girls 🎗️ 9352988975 Sizzling | Escorts | G...
( Pune ) VIP Pimpri Chinchwad Call Girls 🎗️ 9352988975 Sizzling | Escorts | G...( Pune ) VIP Pimpri Chinchwad Call Girls 🎗️ 9352988975 Sizzling | Escorts | G...
( Pune ) VIP Pimpri Chinchwad Call Girls 🎗️ 9352988975 Sizzling | Escorts | G...
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
 
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
 
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in DubaiRussian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
 
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
(+971568250507 ))# Young Call Girls in Ajman By Pakistani Call Girls in ...
 
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
6.High Profile Call Girls In Punjab +919053900678 Punjab Call GirlHigh Profil...
 
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts ServiceReal Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
 
📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱
📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱
📱Dehradun Call Girls Service 📱☎️ +91'905,3900,678 ☎️📱 Call Girls In Dehradun 📱
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
Microsoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck MicrosoftMicrosoft Azure Arc Customer Deck Microsoft
Microsoft Azure Arc Customer Deck Microsoft
 
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
Yerawada ] Independent Escorts in Pune - Book 8005736733 Call Girls Available...
 
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
Hire↠Young Call Girls in Tilak nagar (Delhi) ☎️ 9205541914 ☎️ Independent Esc...
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
All Time Service Available Call Girls Mg Road 👌 ⏭️ 6378878445
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
Shikrapur - Call Girls in Pune Neha 8005736733 | 100% Gennuine High Class Ind...
 

PHDAYS: DGAs and Threat Intelligence

  • 1. DGAs and Threat Intelligence JOHN BAMBENEK, BAMBENEK CONSULTING PHDAYS V
  • 2. Intro  President and Chief Forensic Examiner for Bambenek Consulting  Adjunct Faculty in CS Department at the University of Illinois at Urbana-Champaign  Producer of open-source intel feeds  Work with companies and LE all over the world to address growth in cybercrime
  • 3. About Threat Intelligence  Information is a set of unprocessed data that may or may not contain actionable intelligence.  Intelligence is the art of critically examining information to draw meaningful and actionable conclusions based on observations and information.
  • 4. About Threat Intelligence  Many “threat intelligence” companies drown their customers with information.  Few actually process that information to find intelligence.  Involves analyzing adversary capabilities, intentions and motivations.
  • 5. Why does this matter?  Reverse engineering malware, finding a DGA and resolving all the domains gives you useful information.  Knowing how and why an adversary makes the decisions they do can lead to more successful operations.  Knowing how to distinguish between signal and the large amount of noise in doing this is key.
  • 6. Adversarial objectives  Here we are generally talking about organized crime, usually financially motivated.  What we know:  Highly rational actors  Hierarchical organizational structure, potentially siloed  May hire “outside experts” for specific tasks  Generally technological sophisticated  Desire to remain “quiet”  Desire to remain resilient over the long-term
  • 7. A History of Malware C2 Networks  An adversary wants to persist over the long-term and make their networks more resilient against enforcement actions.  Domains tend to be easier to take down the IPs due to avoidance of jurisdictional issues.  Development over time will largely show adversaries have acted in ways to ensure increased resiliency.  We can continue to map forward over time where they are likely to go in the future as a result.
  • 8. Static IP/Host lists  In the beginning there were static domain or IP lists. Sometimes only one, many times several.  Domains tend to be easier to take down the IPs due to avoidance of jurisdictional issues.  Adversarial response: Increase number of domains and diversity jurisdictions and service providers.
  • 9. Proxies  The addition of proxies added a new element.  A domain or IP seizure COULD still sever control but it would not inherently lead to loss of already stolen data.  Our response: Usually less enthusiastic to take down domains and IPs because what is on “back end” server is most valuable.
  • 10. Dynamic DNS  Then there was dynamic dns (dyndns, no-ip, 3322.org, etc)  Allowed for rapidly changing IP address but still tied to a DNS zone.  Still in use, especially for lower end crime and some espionage operations.
  • 11. Fast Flux  Fast Flux domains use multiple A records with short TTL to create rolling lists of (usually) proxies to maintain control.  Seize a machine, victim happily moves on to the next controller.  Sometimes (but not always) defined “networks” of fast flux nodes. Occasionally just compromised machines.
  • 12. Fast Flux  Fast flux example: divewithsharks.hk. 1800 IN A 70.68.187.xxx [xxx.vf.shawcable.net] divewithsharks.hk. 1800 IN A 76.209.81.xxx [SBIS-AS - AT&T Internet Services] divewithsharks.hk. 1800 IN A 85.207.74.xxx [adsl-ustixxx-74-207-85.bluetone.cz] divewithsharks.hk. 1800 IN A 90.144.43.xxx [d90-144-43-xxx.cust.tele2.fr] divewithsharks.hk. 1800 IN A 142.165.41.xxx [142-165-41-xxx.msjw.hsdb.sasknet.sk.ca]  Even though A records are resilient, the domain is still controlling and if you can seize the name-servers the botnet is decapitated.
  • 13. Double Flux  Evolution of Fast Flux with has short TTLs for name servers as well.  This makes the controlling services more resilient too.  Still can seize domain(s) and the botnet is decapitated.
  • 14. Double Flux example ns1.myheroisyourslove.hk.854 IN A 70.227.218.xxx [ppp-70-227-218-xxx.dsl.sfldmi.ameritech.net] ns2.myheroisyourslove.hk.854 IN A 70.136.16.xxx [adsl-70-136-16-xxx.dsl.bumttx.sbcglobal.net] ns3.myheroisyourslove.hk. 854 IN A 68.59.76.xxx [c-68-59-76-xxx.hsd1.al.comcast.net] ns4.myheroisyourslove.hk. 854 IN A 70.126.19.xxx [xxx-19.126-70.tampabay.res.rr.com] ns5.myheroisyourslove.hk. 854 IN A 70.121.157.xxx [xxx.157.121.70.cfl.res.rr.com] Some time later: ns1.myheroisyourslove.hk. 3596 IN A 75.67.15.xxx [c-75-67-15-xxx.hsd1.ma.comcast.net] ns2.myheroisyourslove.hk. 3596 IN A 75.22.239.xxx [adsl-75-22-239-xxx.dsl.chcgil.sbcglobal.net] ns3.myheroisyourslove.hk. 3596 IN A 75.33.248.xxx [adsl-75-33-248-xxx.dsl.chcgil.sbcglobal.net] ns4.myheroisyourslove.hk. 180 IN A 69.238.210.xxx [ppp-69-238-210-xxx.dsl.irvnca.pacbell.net] ns5.myheroisyourslove.hk. 3596 IN A 70.64.222.xxx [xxx.mj.shawcable.net]
  • 15. Double Flux  Important note, while the IP addresses change frequently, you can still disrupt the network by domain seizure.  Might not recover data but no future loss would occur.
  • 16. Introduction of tor / i2p hidden services  Involves the use of anonymization technologies to hide where the infrastructure actually is.  Very hard to takedown without cooperation of privacy networks which is unlikely to happen.  Our response: Most organizations can block tor / i2p, consumers still vulnerable.
  • 17. Domain Generation Algorithms  Usually a complex math algorithm to create pseudo- random but predictable domain names.  Now instead of a static list, you have a dynamic list of hundreds or thousands of domains and adversary only needs to have a couple registered at a time.  Can shop registrars to avoid suspension.
  • 18. Use of Multiple Techniques  The most resilient malware C2 use multiple methods of callback.  Static Lists  DGAs  Tor/I2P  If one or two are blocked, still able to control machine.
  • 19. Reverse Engineering DGAs  Many blog posts about reversing specific DGAs, Johannes Bader has the most online at his blog:  Johannesbader.ch  No real shortcuts except working through IDA/Debugger and reversing the function.  Look for functions that iterate many times.  There will be at least a function to generate the domains and a function to connect to all of them to find the C2.  As with all reverse engineering, be aware of obfuscation and decoy code meant to deceive you.
  • 20. Reversing DGAs Example From http://johannesbader.ch/2015/05/the-dga-of-ranbyus/
  • 21. Types of DGAs  Almost all DGAs use some time of “Seed”.  Types:  Date-based  Static seed  Dynamic seed  Seed has to be globally consistent so all victims use the same one at the same time.
  • 22. Other DGA Hardening Techniques  Choice of gTLD matters.  Some doing have WHOIS protection, make it hard to sinkhole  Rotation of seeds  Some malware has rudimentary “sinkhole awareness”  Adversarial objectives: Maintain control, limit surveillance
  • 23. Examples of select DGAs - Conficker  Used PNRG with date seed to generate domains.  A and B created 250 domains across 5 and 8 gTLDs.  C and D upped this to 50,000 across 140 gTLDs in response to registries banning the use of conficker DGA domains.
  • 24. Examples of select DGAs - Cryptolocker  Used 1000 domains a day across 7 gTLDs. Order domains are queries in based on GetTickCount()  Eerily similar to DGA described in Wikipedia article on DGAs.  Used previously by Flashback OSX Worm.  Never changed during the life of the malware campaign.  Successfully taken down in June 2014.  Special thanks to Vladimir Kropotov for his help on this!
  • 25. Examples of select DGAs - Cryptolocker  Intel conclusions:  Likely written by a third party.  Went days without a domain registered, actor wanted to get paid but wasn’t overly concerned about keeping everything going 24x7.  Tended not to shift registrar even after domains were suspended.  Likely didn’t monitor his own domains because the ratio of malicious to sinkholed domains was about 1:125.  Way to go on the OPSEC good guys. D
  • 26. Examples of select DGAs - Tinba  Generated 1,000 domains a day, not date-seeded.  Seeded by an initial hostname and a defined gTLD.  Change seeds often and tends to update already infected machines.  At least sinkholing tended to be ineffective for more than a few days.
  • 27. Examples of select DGAs - Tinba  Intelligence conclusions:  These guys care about their infrastructure.  Likely they are actively monitoring to see when their DGA is cracked and adapting accordingly.  Likely they wrote DGA with this kind of flexibility in mind.
  • 28. Examples of select DGAs - Bedep  Uses a dynamic seed – currency exchange values for foreign currency  European Central Bank produces daily feeds of the rates, this is used as source data.  Impossible to predict in advance even though code to generate the domains is publicly available.  http://asert.arbornetworks.com/bedeps-dga-trading-foreign-exchange-for- malware-domains/
  • 29. Examples of select DGAs - Bedep  To date, all successful takedowns (and for that matter unsuccessful takedowns) seized malicious DGA domains in advance while simultaneously suspending current domains.  This would decapitate a botnet if and only if there was no fallback mechanism to reach the C2 (i.e. tor).  How can you do this for Bedep when you don’t know future currency values?  Intelligence conclusion: this is obviously an intentional choice.
  • 30. What the use of DGAs give the good guys  Easy ability to sinkhole unused DGA domains to gather additional intelligence.  Easier ability to do bulk takedowns.  *IF* you can predict domains in advance.  The ability to surveil malicious infrastructure in near real- time.
  • 31. What the use of DGAs give the good guys  The use of DNS in malware severely limits the ability of the adversary to play games.  The need the world to be able to find their infrastructure in order to control victim machines.  Even when DGA changes, the adversary **tends** not to immediately change their infrastructure too.  Allows for the use of passive DNS to see the extent of DGA changes.
  • 32. Sinkholing  Many security companies do this.  Many want to hide the fact they do this.  Most adversaries aren’t stupid enough to not notice.  Remember, Cryptolocker we had 125 or so sinkholed domain for every 1 malicious domain.
  • 33. Feed generation on DGAs ndsonjcyllala.com,Domain used by Cryptolocker - Flashback DGA for 22 May 2015 gwhdgqvghqbre.net,Domain used by Cryptolocker - Flashback DGA for 22 May 2015 tsgqxijpaiegf.biz,Domain used by Cryptolocker - Flashback DGA for 22 May 2015 hbweraesinrfg.ru,Domain used by Cryptolocker - Flashback DGA for 22 May 2015 uwvrjrrcbfutx.org,Domain used by Cryptolocker - Flashback DGA for 22 May 2015 kgmbjjfiktile.co.uk,Domain used by Cryptolocker - Flashback DGA for 22 May 2015 xclobbsrdllaf.info,Domain used by Cryptolocker - Flashback DGA for 22 May 2015 From here you could easily feed this into RPZ or other technology to protect your organization. But we want more.
  • 34. How to set up surveillance on a DGA  Easy to set up with shell scripting and a non-t1.micro AWS instance.  Requires GNU parallel and adns-tools to handle bulk DNS queries.
  • 35. DGA surveillance  Pre-generate all domains 2 days before to 2 days in future.  Pipe all those domains into adnshost using parallel to limit the number of lines.  Able to process over 200,000 domains inside 10 minutes (and I’m not done optimizing).
  • 36. Tinba DGA feed example bbqfwypsbwjt.com,Domain used by tinba,2015-05-24 19:40 bfoxyvqtolmn.com,Domain used by tinba,2015-05-24 19:40 biygihojbxhs.com,Domain used by tinba,2015-05-24 19:40 bvhtdpnqpeur.com,Domain used by tinba,2015-05-24 19:40 cbjedxmjsxyv.ru,Domain used by tinba,2015-05-24 19:40 cdtpxpsdxgkp.com,Domain used by tinba,2015-05-24 19:40 cniuybkgxelo.com,Domain used by tinba,2015-05-24 19:40 This is active not-known-sinkhole domains current resolving.
  • 37. A note on intelligence bias  How we look at threats and what we tend to do with information will affect how we gather intel and how we process it.  I tend to be involved in takedowns so I am generally uninterested in sinkholes.  If you protect an organization, however, you care about your client machines reaching out to sinkholes because they are still infected.
  • 38. Tinba IP list 46.30.41.102,IP used by tinba C&C,2015-05-24 19:40 54.72.9.51,IP used by tinba C&C,2015-05-24 19:40 91.233.244.102,IP used by tinba C&C,2015-05-24 19:40 95.163.121.201,IP used by tinba C&C,2015-05-24 19:40 130.211.70.150,IP used by tinba C&C,2015-05-24 19:40 151.248.123.41,IP used by tinba C&C,2015-05-24 19:40 Seems like a good list to firewall… More on that in a moment.
  • 39. Should also check NS info too 54.75.226.194,Nameserver IP used by tinba C&C,2015-05-24 19:46 54.75.227.14,Nameserver IP used by tinba C&C,2015-05-24 19:46 64.87.16.156,Nameserver IP used by tinba C&C,2015-05-24 19:46 67.195.1.92,Nameserver IP used by tinba C&C,2015-05-24 19:46 69.64.74.153,Nameserver IP used by tinba C&C,2015-05-24 19:46 77.247.183.137,Nameserver IP used by tinba C&C,2015-05-24 19:46
  • 40. Should also check NS info too dns1.webdrive.ru,Nameserver used by tinba C&C,2015-05-24 19:46 dns2.sitenewdns1.ru,Nameserver used by tinba C&C,2015-05-24 19:46 dns2.webdrive.ru,Nameserver used by tinba C&C,2015-05-24 19:46 dns3.sitenewdns1.ru,Nameserver used by tinba C&C,2015-05-24 19:46 With these two data points you can usually quickly validate what is a sinkhole and what is likely malicious and bears further investigation.
  • 41. DGA Surveillance  Looking at those four data points you now have solid information to make decisions based on the data.  You could block domains/IPs.  You could block nameservers (some times).
  • 42. Adversarial Response  Adversaries know we are doing this.  In response:  They change seeds frequently  They have non-DGA communication mechanisms  They engage in counterintelligence
  • 43. Counterintelligence  The tactics by which an adversary thwarts attempts to gather information on itself.  Remember the domain and IP lists before?  What if an adversary registers domains that they aren’t using?
  • 44. Counterintelligence – or worse version  What if adversary knows you pump your IP lists directly into your firewall (and I know people do this with my feeds)?  Anyone recognize these IP addresses? 198.41.0.4 192.228.79.201 192.33.4.12 199.7.91.13 192.203.230.10 192.5.5.241 192.112.36.4 128.63.2.53 192.36.148.17 192.58.128.30 193.0.14.129 199.7.83.42 202.12.27.33
  • 45. Counterintelligence – or worse version  Taking action on information without analysis is generally a bad idea, especially when the information is under the complete control of the adversary.  This is why intelligence analysis is so important.  (I whitelisted the root servers after I noticed an adversary tried to do an attack similar to this.)
  • 46. Whois Registrar Intel  Often actors may re-use registrant information across different campaigns. There may be other indicators too.  Sometimes *even with WHOIS privacy protection* it may be possible to correlate domains and by extension the actor.  Most criminal prosecution in cybercrime is due to an OPSEC fail and the ability to map backwards in time of what the actor did to find that fail that exposes them.
  • 47. Surveillance is nice, what about notification?  Creation of feeds and intake is still a passive tactic.  It is all possible to automate notifications when key changes happen to allow for more near-time actions.  This uses the Pushover application (Apple and Google stores) which has a very simple API.
  • 48. New Dyre domain registered
  • 49. New Matsnu domains registered
  • 50. Pivoting  Now that I know the-fancastar.com and seedwisdonn.com serve NS for Matsnu, I can see what else is served by those nameservers to find additional intelligence.  Caution is due, this may not always yield results and may yield false positives. Always correlate with something else before making a final judgement.
  • 51. Last adversarial response  Starting to see sinkhole-aware malware.  Some malware always authenticated the C2, but sinkholes still could gather intel.  Now malware is being written to attempt to bypass sinkholes altogether.
  • 52. The Future?  DGAs will be around for awhile as part of several methods of communication to victim machines.  Tor/I2P will continue to be used because of its advantages but DGAs still needed due to ease of blocking tor.  Increase in the use of “interesting” dynamic seeds.
  • 53. Questions? Thanks PHDays V! My feeds: osint.bambenekconsulting.com/feeds/ jcb@bambenekconsulting.com www.bambenekconsulting.com +1 312 425 7225