Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day

959 views

Published on

CanSecWest2017

Published in: Internet
  • Be the first to comment

CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day

  1. 1. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary @ThreatConnect Lots of Squats: APTs Never Miss Leg Day March 17, 2017
  2. 2. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary Agenda • Spoofed domains • Notable breaches • Tools • Strategic view of spoofed domain registrations • Tactical view • Conclusions
  3. 3. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary 3 The First Look Vulnerability Rescuing Leia • Because everything has a Star Wars corollary Spoofed domains • Exploit the inherent and immediate trust that we place in the familiar • Target the organization or another organization/technology pertinent to operation Types • Typosquats • Look alikes • Letter swaps • Sticky keys
  4. 4. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary 4 A) gooqle.com B) googIe.com C) qoogle.com D) gcogle.com Pop Quiz Example
  5. 5. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary 5 Pop Quiz Example gooqle.com gI qoogle.com Use a lowercase “Q” in place of a “g” gooqle.com qoogle.com
  6. 6. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary 6 Pop Quiz Example Use a “c” in place of an “o” gcogle.com
  7. 7. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary 7 Pop Quiz Example Use an uppercase “i” instead of a lowercase “L” googIe.com
  8. 8. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary 8 Advanced Persistent Threats (APTs) Everybody’s doing it • China • Russia Why • Relatively cheap • Easy to do • Effective • Can obfuscate origin Operations • Delivery • Exploitation • Command and control Notable breaches • Anthem/BCBS entities • OPM • DNC/DCCC Operation types • Credential harvesting • Malware dissemination
  9. 9. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary 9 Notable Breaches China – DEEP PANDA Anthem/BCBS • we11point[.]com • prennera[.]com • Chinese registrant resellers OPM • opm-learning[.]org • opmsecurity[.]org • The Avengers registrants Russia – FANCY BEAR DNC/DCCC • misdepatrment[.]com • actblues[.]com • Fake personas
  10. 10. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary 10 So What? Has become a TTP • Specific actors employing spoofing against specific sectors • There is a trend to look for Domain registration precedes operation • Timeline varies Operationalize domain registration information • WHOIS as threat intelligence
  11. 11. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary 11 We’re Not Playing Whack-a-Mole Simply reacting on a one-off basis won’t suffice • Active state • Predictive state Leveraging domain registrations as threat intel • Higher-level strategic intelligence • Informs organizational or sector awareness • In-depth tactical intelligence • Provides situational awareness during incidents Operationalize domain registration information • Trends in spoofed domain registrations • Identifying and leveraging APT TTPs
  12. 12. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary 12 Tools of the Trade DNSTwist and URLCrazy • Open source • Identify spoofed domains for a given domain DomainTools • WHOIS • Typo Finder • Reverse NS Lookup • IRIS
  13. 13. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary Domain Registrations as Strategic Intel
  14. 14. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary 14 Trends in Registrations Process • Identify all domains registered during a given timeframe that spoof provided domains • Get WHOIS information for all domains • Registrant, registrar, create date, registrant email address, country of origin • Used Excel • Remove legitimate registrations as possible • Investigate WHOIS information to identify trends or patterns • Correlate possible spikes in activity to current events Hypothesis • Keeping track of all of the spoofed domains targeting a given organization or sector can help identify potential activity against that organization or sector.
  15. 15. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary 15 Organizational Example Research • Spoofed domains targeting Anthem BCBS legitimate domains • 10 domains/organizations Anthem BCBS Identified • Over 1400 spoofed domains • Over 280 in 2015 • 59 of which came from China
  16. 16. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary 16 Number of Spoofed Domain Registrations from China Targeting BCBS Entities, 2015
  17. 17. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary 17 Number of Spoofed Domain Registrations from China Targeting BCBS Entities, 2015
  18. 18. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary 18 Number of Spoofed Domain Registrations from China Targeting BCBS Entities, 2015
  19. 19. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary 19 Sector Example Research • Spoofed domains targeting six major pharmaceutical companies Pharmaceutical Industry Identified • Over 2000 spoofed domains • 304 in 2015 • At least 70 from China
  20. 20. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary 20 Findings Novartis – March 2015 • Three spoofed domains in March • FDA approves first biosimilar drug • Beijing lifts price controls on pharmaceuticals Lilly – November 2015 • Eight spoofed domains in Oct • Twelve in Nov • Eli Lilly and China's Innovent expand partnership • FDA approves cancer drug Sanofi – April 2016 • Twelve spoofed domains in April • Two rest of 2016 • Bids for Medivation • Eczema drug clears trials
  21. 21. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary 21 What Does This Mean for an Org/Sector? Spikes in registration activity • Potentially portend malicious activity • Necessitate heightened awareness • May not be malicious • May be related to non-cyber events • Situational awareness for sectors WHOIS • Registrants, email addresses for tracking • Identify other domains that individuals targeting your organization register Helps identify threats • Consistencies with previously identified APTs • Capabilities, TTPs, and other infrastructure to be aware of
  22. 22. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary Domain Registrations as Tactical Intel
  23. 23. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary 23 Pivoting from One Spoofed Domain to Others Process • Identify spoofed domain that is particularly suspicious or has been leveraged in malicious activity • Get WHOIS and/or SOA information for domain • Registrant, registrar, create date, registrant email address, country of origin, name server, etc. • Identify the most unique registration information • Pivot to other domains using the most unique registration information Hypothesis • WHOIS information for an encountered spoofed domain can help us identify an actor’s other spoofed domains that may be leveraged against the same or other targets.
  24. 24. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary 24 DNC and DCCC Attacks DNC • CrowdStrike analysis from mid June • Identified a FANCY BEAR IP address • ThreatConnect identified misdepatrment[.]com • Spoofs MIS Department DCCC • Reporting from mid July identified that same actors compromised DCCC • Used spoofed domain targeting donation website • Fidelis identified actblues[.]com vs actblue[.]com • Registered day after DNC attack publicized
  25. 25. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary 25 WHOIS/SOA Information for FB Domains misdepatrment[.]com actblues[.]com
  26. 26. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary 26 What Can We Pivot from that is Unique? misdepatrment[.]com actblues[.]com
  27. 27. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary 27 What Can We Pivot from that is Unique? misdepatrment[.]com actblues[.]com httpconnectsys[.]com fastcontech[.]com intelsupportcenter[.]com intelsupportcenter[.]net
  28. 28. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary 28 What Can We Pivot from that is Unique? misdepatrment[.]com actblues[.]com httpconnectsys[.]com fastcontech[.]com intelsupportcenter[.]com intelsupportcenter[.]net
  29. 29. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary 29 What Can We Pivot from that is Unique? misdepatrment[.]com actblues[.]com httpconnectsys[.]com fastcontech[.]com intelsupportcenter[.]com intelsupportcenter[.]net
  30. 30. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary 30 What Can We Pivot from that is Unique? misdepatrment[.]com actblues[.]com httpconnectsys[.]com fastcontech[.]com intelsupportcenter[.]com intelsupportcenter[.]net
  31. 31. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary Domains4Bitcoins (1a7ea920.bitcoin-dns.hosting) • Bitcoins • ~2500 domains • Previous associations to FB •militaryobserver[.]net •sysprofsvc[.]com •euronews24[.]info •naoasch[.]com •storsvc[.]org ITitch (ns1.ititch.com) • Bitcoins • ~2100 domains 31 Name Servers
  32. 32. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary 32 Hundreds of Spoofed Domains on Name Servers • access-google[.]com • actblues[.]com • adobeflashdownload[.]de • adobeflashplayer[.]me • adobeflashplayer[.]space • adobeupdater[.]org • adobeupdatetechnology[.]com • adoble[.]net • akamaitechnologysupport[.]com • akamaitechupdate[.]com • appclientsupport[.]ca • appleappcache[.]com • appleauthservice[.]com • applerefund[.]com • archivenow[.]org • bbcupdatenews[.]com • bit-co[.]org • bitsdelivery[.]com • buy0day[.]com • cdn-google[.]com • cdncloudflare[.]com • cloudfiare[.]com • dynamicnewsfeeds[.]com • ebiqiuty[.]com • egypressoffice[.]com • eigsecure[.]com • facebook-profiles[.]com • flashplayer2015[.]xyz • goaarmy[.]org • govsh[.]net • great-support[.]com • hackborders[.]net • helper-akamai[.]com • honeyvvell[.]co • intelintelligence[.]org • intelsupportcenter[.]com • intelsupportcenter[.]net • login-hosts[.]com • logmein-careservice[.]com • marshmallow-google[.]com • micoft[.]com • microsoft-updates[.]me • mofa-uae[.]com • ms-drivadptrwin[.]com • ms-sus6[.]com • ms-updates[.]com • nato-org[.]com • natoadviser[.]com • new-ru[.]org • newflashplayer2015[.]xyz • passwordreset[.]co • pdf-online-viewer[.]com • sec-verified[.]com • securesystemwin[.]com • securityresearch[.]cc • services-gov[.]co[.]uk • social-microsoft[.]com • socialmedia-lab[.]com • symantecupdates[.]com • terms-google[.]com • theguardiannews[.]org • theguardianpress[.]com • thehufflngtonpost[.]com • vortex-sandbox-microsoft[.]com • vpssecurehost[.]com • win-wnigarden[.]com • wincodec[.]com • windowsnewupdated[.]com • winliveupdate[.]top • winninggroup-sg[.]com • wm-z[.]biz • wmepadtech[.]com • wsjworld[.]com • yourflashplayer[.]xyz
  33. 33. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary 33 Subset for 1&1 Email Domains Domains4Bitcoins (1a7ea920.bitcoin-dns.hosting) • akamaitechnologysupport[.]com • akamaitechupdate[.]com • micoft[.]com • ms-drivadptrwin[.]com • ms-sus6[.]com • securesystemwin[.]com • wmepadtech[.]com • natoadviser[.]com • theguardiannews[.]org • wsjworld[.]com ITitch (ns1.ititch.com) • bitsdelivery[.]com • apptaskserver[.]com • aptupdates[.]org • contentupdate[.]org • defenceglobaladviser[.]com • dowssys[.]com • gmailservicegroup[.]com • i-aol-mail[.]com • msmodule[.]net • officeupdater[.]com • systemsv[.]org • updmanager[.]net
  34. 34. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary 34 What Does This Mean for an Org/Sector? Relevant threat intelligence • During incidents • Actor pivoting • Historical registrations for reviewing previous activity WHOIS • Identify other domains that individuals targeting your organization register Future tracking • Registrant email addresses • Name servers • Confluence of WHOIS information
  35. 35. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary 35 Caveats Findings merit additional research • Spoofed domains are not necessarily malicious • Tracking domains may help identify if/when they are operationalized • Hosting information • Slice and dice the WHOIS Legitimate domains • Some domains, like lilly.com, inherently have false positives • Baseline activity to identify spikes • Also requires an understanding of your organization’s assets Importance of sharing • Impossible to do this type of research for all of the organizations/technologies that your organization may be involved with • Sharing intelligence derived from this type of research facilitates other organizations’ defensive efforts
  36. 36. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary 36 Conclusions Leverage intelligence from spoofed domain registrations Not cost prohibitive • Lower amount of resources • Some tools openly available Strategic and tactical research • Focuses on a common TTP • Provides situational and tactical awareness Helps defend your organization and others • Sharing is caring • Cyber security karma
  37. 37. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary THANK YOU! © 2016 ThreatConnect, Inc. All Rights Reserved Blog: threatconnect.com/blog Twitter: @ThreatConnect Sign up for a free account: www.threatconnect.com/free

×