3. Users and apps have adopted the cloud
49%
of the workforce
is mobile
82%
admit to not
using the VPN
70%
increase in
SaaS usage
70%
of branch offices
have DIA
Security controls
must shift to the cloud
,
4. Your security challenges
Malware and
ransomware
Gaps in visibility
and coverage
Cloud apps
and shadow IT
Difficult to
manage security
5. Our view of the internet
120B
requests
per day
15K
enterprise
customers
85M
daily active
users
160+
countries
worldwide
3M+
daily new
domain names
Discover
70K+
daily malicious
destinations
Identify
7M+
malicious destinations
while resolving DNS
Enforce
Our efficacy
10. Patient Zero Hit
Defense Signatures Built
Target Expansion
Wide-Scale Prevalence
Monitor Adaption Based on Results
Domain Registration, IP, ASN Intel., Public / Private Announcements
Reconnaissance and Infrastructure Setup
Anatomy of a Cyber Attack
11. Defense Signatures Built
Co-occurrence model
Domains guilty by inference
a.com b.com c.com x.com d.com e.com f.com
time - time +
Co-occurrence of domains means that a statistically significant number of identities
have requested both domains consecutively in a short timeframe
Possible malicious domain Possible malicious domain
Known malicious domain
12. Spike rank model
Patterns of guilt
y.com
DAYS
DNSREQUESTS
Massive amount
of DNS request
volume data is
gathered and
analyzed
DNS request volume matches known
exploit kit pattern and predicts future attack
DGA MALWARE EXPLOIT KIT PHISHING
y.com is blocked before
it can launch full attack
13.
14. What you can find with threat intelligence
50%
Encountered APT
(Advanced Persistent Threat)
Across 200+ recent POVs:
82%
Encountered
ransomware
77%
Encountered
phishing
81%
Encountered
C2 callback
86%
Encountered
Angler
74%
Encountered
Locky
Script
Prior to the attack OpenGraphiti shows that each of these networks are disjoint, no sign of a redirect.
Click for animation
After the attack, you can see that traffic from each site is routed to the SEA IP
We are able to map out all other known domains hosted at that same IP.
One of which appears to be a paypal fishing site.
Guilt by association helps us to confirm that this IP and it’s associated domains are locations we want to prevent our users from connecting to.
After confirming that we are blocking nytimes for the right reaons, we were able to redirect users to the correct IP for nytimes.com
Click for animation
During the attack Rajiv Pant (VP of nytimes) tweeted to use OpenDNS as a workaround.