This document discusses how Verisign analyzes "noise" or unused DNS data to identify botnet domains. It describes how Verisign developed the Botnet Detection Service (BDS) to analyze NXDomain traffic patterns and detect botnet activity. BDS identifies botnet domains which Verisign then filters out of its domain recommendation indexes to prevent potential botnet registrations and transmissions. The document outlines opportunities to further develop BDS such as expanding it to additional TLDs and traffic types to more comprehensively identify botnet command-and-control domains.
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersJohn Bambenek
While we have many products and tools to protect enterprises and government networks, we are not using those same tools to protect consumers who cannot afford products and services by security companies. This talk will focus on the building of a RPZ service that can use already existing threat intelligence feeds that are freely accessible to protect consumers against threats we already know about.
A Look Into Emerging Security Issues Within Cryptocurrency EcosystemsBeau Bullock
This presentation covers the basics of what cryptocurrencies are, some major hacks, and a walk through of vulnerabilities emerging from cryptocurrency ecosystems.
Pichman privacy, the dark web, & hacker devices i school (1)Stephen Abram
This document provides an overview and summary of a presentation on privacy, the dark web, and hacker devices. The presentation discusses tools that provide anonymity such as Tor browsing and VPNs. It also covers common devices and software used on the dark web and defenses against cyber attacks. The document discusses why people attack, how to prevent being tracked, and mitigating risks. It provides tips on anonymity and privacy as well as an overview of hacker tools and techniques. The presentation aims to familiarize audiences with anonymity methods while discouraging illegal use of the information.
THOTCON - The War over your DNS QueriesJohn Bambenek
Talk given at THOTCON on October 9, 2021 entitled the War over your DNS queries and what to do about it. Covers DNS security and privacy and the importance of running your own DNS resolver.
Siobhan Coyle has over 10 years of experience in accounting, financial administration, and business. She holds a BA in Business Studies and an MA in Accounting. Currently, she works as an accounts assistant for John Hanna Associates, where her duties include accounts and using accounting software. In her voluntary work, she is a team leader for HSE Solas and coaches multiple underage GAA teams. She has received awards for her accounting and leadership skills.
Ryan LaFrence is seeking an entry-level position in computer science. He is expected to graduate in May 2016 from Southern Illinois University with a Bachelor of Science in Computer Science and a GPA of 2.952, concentrating in network and computer security. His skills include programming languages like Java, C, HTML/CSS, and Assembly Language. He has experience with software like Android Studio, Eclipse, Windows and Linux operating systems.
Terri Purcell has experience in editing, writing, and marketing through various internships and jobs. She has a Bachelor's degree in English from Millikin University where she graduated Magna Cum Laude. Her professional experience includes working as a rotating intern for Independent Publishing Group and as an editor and community relations role for Bronze Man Books. She is proficient in Microsoft Office, familiar with design programs, and has skills in book editing, copying, public relations, and marketing.
Dener Carlos da Silva tem mais de 20 anos de experiência nas áreas comercial e de vendas. Atualmente busca uma posição como Gerente Regional. Tem formação em Administração de Empresas e Marketing e fluência em Inglês e Espanhol. Trabalhou em cargos de liderança em empresas como Kensington, Bombril e Sadia.
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersJohn Bambenek
While we have many products and tools to protect enterprises and government networks, we are not using those same tools to protect consumers who cannot afford products and services by security companies. This talk will focus on the building of a RPZ service that can use already existing threat intelligence feeds that are freely accessible to protect consumers against threats we already know about.
A Look Into Emerging Security Issues Within Cryptocurrency EcosystemsBeau Bullock
This presentation covers the basics of what cryptocurrencies are, some major hacks, and a walk through of vulnerabilities emerging from cryptocurrency ecosystems.
Pichman privacy, the dark web, & hacker devices i school (1)Stephen Abram
This document provides an overview and summary of a presentation on privacy, the dark web, and hacker devices. The presentation discusses tools that provide anonymity such as Tor browsing and VPNs. It also covers common devices and software used on the dark web and defenses against cyber attacks. The document discusses why people attack, how to prevent being tracked, and mitigating risks. It provides tips on anonymity and privacy as well as an overview of hacker tools and techniques. The presentation aims to familiarize audiences with anonymity methods while discouraging illegal use of the information.
THOTCON - The War over your DNS QueriesJohn Bambenek
Talk given at THOTCON on October 9, 2021 entitled the War over your DNS queries and what to do about it. Covers DNS security and privacy and the importance of running your own DNS resolver.
Siobhan Coyle has over 10 years of experience in accounting, financial administration, and business. She holds a BA in Business Studies and an MA in Accounting. Currently, she works as an accounts assistant for John Hanna Associates, where her duties include accounts and using accounting software. In her voluntary work, she is a team leader for HSE Solas and coaches multiple underage GAA teams. She has received awards for her accounting and leadership skills.
Ryan LaFrence is seeking an entry-level position in computer science. He is expected to graduate in May 2016 from Southern Illinois University with a Bachelor of Science in Computer Science and a GPA of 2.952, concentrating in network and computer security. His skills include programming languages like Java, C, HTML/CSS, and Assembly Language. He has experience with software like Android Studio, Eclipse, Windows and Linux operating systems.
Terri Purcell has experience in editing, writing, and marketing through various internships and jobs. She has a Bachelor's degree in English from Millikin University where she graduated Magna Cum Laude. Her professional experience includes working as a rotating intern for Independent Publishing Group and as an editor and community relations role for Bronze Man Books. She is proficient in Microsoft Office, familiar with design programs, and has skills in book editing, copying, public relations, and marketing.
Dener Carlos da Silva tem mais de 20 anos de experiência nas áreas comercial e de vendas. Atualmente busca uma posição como Gerente Regional. Tem formação em Administração de Empresas e Marketing e fluência em Inglês e Espanhol. Trabalhou em cargos de liderança em empresas como Kensington, Bombril e Sadia.
This document discusses hunting for threats on networks and hosts using free and open source tools. It begins with an overview of threat hunting and the hunt cycle. It then provides recommendations for hunting on the cheap using passive DNS, looking for fast flux domains, domain generation algorithms (DGA), and periodicity in DNS queries to identify anomalies on the network. For hunting on hosts, it recommends using Sysinternals Autoruns to identify abnormal startup programs and persistence mechanisms by comparing autorun items across systems. Yara rules and VirusTotal are also suggested for scanning for known malware indicators. The document emphasizes establishing a baseline of normal activity and investigating outliers.
For organizations and individuals with limited security budgets, successfully hunting for cyber adversaries can be a daunting challenge. Threat Intelligence can be expensive and sometimes
nothing more than IoCs or blacklists. In this talk, Endgame’s threat research team will present a series of techniques that can enable organizations to leverage free or almost-free sources of
data and open-source tools to “hunt on the cheap.” They’ll explain how to: retrieve attackers’ tools from globally distributed honeynets that look like your organization or a juicy launching
point to attackers; enrich the data past basic file/tool hashes to identify malicious command and control IPs/domains through automated binary analysis using open-source sandboxes and tools; and use passive DNS data to identify active infections and enrich existing data sets. Attendees will learn how to apply these three techniques to hunt for adversaries within their own
networks. They will also learn about the various open-source solutions available, such as graph databases, that make these techniques inexpensive and within the scope of many organizations.
Anjum Ahuja, Senior Threat Researcher, Endgame
Jamie Butler, Chief Scientist, Endgame
Andrew Morris, Threat Researcher, Endgame
18 September 2017 - ION Malta
DNSSEC helps prevent attackers from subverting and modifying DNS messages and sending users to wrong (and potentially malicious) sites. So what needs to be done for DNSSEC to be deployed on a large scale? We’ll discuss the reasons for deploying DNSSEC, examine some of the challenges operators have faced, and address those challenges and move deployment forward.
-IoT Security is a Safety/Privacy Issue
-Consider the devices you bring into your home and to work
Video Links:
-Hue: https://www.youtube.com/watch?v=7TOsFqqJgj4
-Slow Cooker: https://www.walmart.com/ip/BLACK-DECKER-WiFi-Enabled-6-Quart-Slow-Cooker/128745799
-Smart Toilet: https://www.youtube.com/watch?v=HyZ7S4fE5v4
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summerFelipe Prado
This document provides an overview and background of a wireless security researcher known as the WiFiCactus. It summarizes their interests and work analyzing wireless networks at DEFCON and other conferences over the years, including wardriving experiments and building tools to analyze large datasets captured from wireless monitoring. It also shares some findings from analyzing these datasets, such as visualizing the locations of detected devices and instances where APIs or software leaked private information over wireless networks.
Solving the Visibility Gap for Effective SecurityLancope, Inc.
Network visibility is a vital component of an effective security strategy, but many organizations lack the ability to identify threat activity in their environment. At Cisco, we have assessed the networks of thousands of organizations, and in nearly every instance, we discovered undocumented hosts, risky user behavior, or malicious activity.
Whether it is rogue servers, unauthorized connections, or ongoing data breaches, we’ve harnessed the power of network visibility to identify a variety of suspicious and malicious activity. Now let us share our knowledge with you.
Join Jeff Moncrief, Systems Engineering Manager at Cisco, to learn:
- The reality of how vulnerable enterprise networks are from endpoint to edge
- The security benefits of end-to-end network visibility
- Common problems solved with network visibility
- Stories of real-life threats hidden on networks we’ve assessed
- How to turn your network into a security sensor to gain critical visibility and threat detection capabilities
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerAbhinav Biswas
With the advent of IOT, Every 'Thing' is getting Smart, starting from the range of smartwatches, smart refrigerators, smart bulbs to smart car, smart healthcare, smart agriculture, smart retail, smart city and what not, even smart planet. But why is every thing getting smart? People are trying to bridge the gap between Digital World & Physical World by means of ubiquitous connectivity to Internet, and when digital things become physical, digital threats also become physical threats. Security & Privacy issues are rising as never before. What if the microphone in your smart TV can be used to eavesdrop the private communications in your bed room? What if a smart driverless car deliberately crashes itself into an accident? What if you want to be Anonymous over Internet and don't want anybody to track you?
This talk will focus on answering the above questions with a view on 'What are we currently doing to protect ourselves' and 'What we need to do'. What are the new security challenges that are coming up and how privacy & anonymity is taking the lead over security. The talk will also sensitive the audience about the paradigm shift that is happening in IOT DevOps, with help of Docker Containers and how they can be anonymised using TOR.
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...EC-Council
This document discusses strategies for reducing DNS data leakage and protecting online privacy. It begins with an introduction and overview of topics to be covered, including why DNS data is important from a privacy perspective, common DNS privacy exploits, insecure DNS resolution processes, and solutions for anonymizing DNS data like DNS over HTTPS and DNS over TLS. The document provides details on how DNS data can be tracked and leaked, as well as tools and techniques for analyzing DNS traffic and protecting privacy, including public secure resolvers, browser-based protections, VPNs, and running one's own recursive resolver. It concludes with taking privacy to varying degrees and balancing privacy with usability.
IPv6-Experte Joe Klein gab uns einen Überblick über den aktuellen Status der IPv6-Sicherheit, typische IPv6-Angriffspunkte, Auswirkungen von Technologien wie Cloud und Blockchain sowie Herausforderungen für effektive IoT-Sicherheitsmassnahmen (Internet of Things). Vor allem im Internet der Dinge, wenn es um Gesundheitsversorgung, selbstfahrende Autos, Flugzeugcockpits, Dämme, Kernkraftwerke und ähnliche kritische Infrastrukturen geht, ist es von entscheidender Bedeutung, dass Sicherheit gewährleistet werden kann.
Internet of Things (IoT) Affordable & Fast Semi-Custom ASIC SolutionsTriad Semiconductor
Hype wave - Internet of Things (IoT) is IT right now...
The IoT is all about things being connected. Well, last time I check the Internet part of IoT was pretty well established (thank you Al Gore). And Bluetooth 4.0 (BLE or Bluetooth Low Energy) has made the 'of' part of IoT pretty ubiquitous. I refer to the 'of' in IoT as the connecting of sensors (things) to the Internet. With the 'I' and the 'o' of IoT well in hand, this presentation shows you how to integrate sensors, actuators and all the electronics of THINGS (the 'T' of IoT) into small and affordable semi-custom ASICs called ViaASICs from Triad Semiconductor. Watch the presentation and learn how to make mixed-signal application specific integrated circuits (ASICs) for a fraction of the cost and time you would have though possible. Stealing thunder here but the presentation will show you how to design and fabricate a ViaASIC from Triad Semiconductor for less than $10,000 and get it done in 3-5 months...
MongoDB World 2018: Enterprise Security in the CloudMongoDB
This document discusses enterprise security in the cloud. It covers identity and access controls, auditing, and encryption. For identity and access, it describes secure access controls like multi-factor authentication, role-based access controls, and dedicated virtual private clouds (VPCs). For auditing, it outlines activity logs, monitoring and alerts, and a real-time activity panel. For encryption, it discusses key management, different encryption service levels, and key service differences between AWS, GCP and Azure.
MongoDB World 2018: Enterprise Cloud SecurityMongoDB
This document discusses enterprise security in the cloud. It covers identity and access controls, auditing, and encryption. For identity and access, it describes secure access controls like multi-factor authentication, role-based access controls, and dedicated virtual private clouds (VPCs). For auditing, it outlines activity logs, monitoring and alerts, and a real-time activity panel. For encryption, it discusses key management, different encryption service levels, and key service differences between AWS, GCP and Azure.
This document provides a summary of a presentation titled "Ride the Light: A guide to the internet, telephony and computer technology in the 21st century." The presentation covers topics such as core computing values, telephony, internet technology, IP addressing, internet security and abuse. It includes details on technologies like dial-up, DSL, T1 lines, routing registries, RFCs, subnetting, internet threats and solutions, and recommended websites for further information.
Jon Noble. Jon will give a brief overview of why you should consider security as part of your CloudStack deployment, why your approach to security needs to be different than in a traditional environment, and also talk about some of the motives behind the attacks – why they attack you and what they do once they have compromised a system.
My presentation at HackCon 7 Oslo, exploring where the world of information security is headed. Crude vs. stealthy exploit techinques, the underground digital economy, failure of anti-virus, the future of web application security and the (de)evolution of browsers and HTTP.
Mining software vulns in SCCM / NIST's NVDLoren Gordon
Patch management for 3rd-party software can be a significant challenge. The raw data for effective vulnerability management is available in MS’ SCCM (software inventory) and NIST’s NVD (vulnerability database). However extracting the relevant information from complex, sometimes undocumented data structures poses significant challenges.
The stage is set with a brief overview of SCCM / NVD data structures as well as a look at a (non-typical but interesting!) production environment. Then we’ll take a quick dive into data wrangling / Machine Learning fundamentals applied to this problem: feature extraction, choice of approach, algorithm choice and turning.
Once the technical challenges are resolved, the path to “Data Nirvana” can still be strewn with significant non-technical hurdles to overcome as well. We will discuss some practical “been there, done that” examples.
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
Cloud hosting providers, such as Amazon AWS, Google Cloud, DigitalOcean, Microsoft Azure, and many others, have to respond to a regular barrage of abuse complaint reports from all around the world when their customers virtual private servers are used for malicious activity. This activity can happen knowingly by the "renter" of the system or on behalf of an attacker if the server becomes infected. Although by no means the end all, one way of measuring the trust posture of a cloud hosting provider is by analyzing the amount of time between shared hosts beginning to attack other hosts on the Internet and the activity ceasing, generally by way of forced-decommissioning, quarantining, or remediation of the root-cause, such as a malware infection. In this talk, we discuss using the data collected by GreyNoise, a large network of passive collector nodes, to measure the time-to-remediation of infected or malicious machines. We will discuss methodology, results, and actionable takeaways for conference attendees who use shared cloud hosting in their businesses.
This document discusses using cloud computing for CCTV video surveillance. Some key points:
- Cloud infrastructure reduces the need for in-house IT resources and provides scalability, reliability and cost savings compared to on-premise systems.
- However, storing and transferring raw CCTV video data to the cloud is not viable due to the huge size of video files and bandwidth limitations.
- Instead, "smart cameras" can analyze video locally to extract metadata and detect meaningful events, only transferring thumbnail images or short clips to reduce transmitted data.
- This approach filters data similar to how particle physics experiments filter collision data from the LHC to identify rare events like the Higgs boson. Centralized cloud indexing and
This document discusses hunting for threats on networks and hosts using free and open source tools. It begins with an overview of threat hunting and the hunt cycle. It then provides recommendations for hunting on the cheap using passive DNS, looking for fast flux domains, domain generation algorithms (DGA), and periodicity in DNS queries to identify anomalies on the network. For hunting on hosts, it recommends using Sysinternals Autoruns to identify abnormal startup programs and persistence mechanisms by comparing autorun items across systems. Yara rules and VirusTotal are also suggested for scanning for known malware indicators. The document emphasizes establishing a baseline of normal activity and investigating outliers.
For organizations and individuals with limited security budgets, successfully hunting for cyber adversaries can be a daunting challenge. Threat Intelligence can be expensive and sometimes
nothing more than IoCs or blacklists. In this talk, Endgame’s threat research team will present a series of techniques that can enable organizations to leverage free or almost-free sources of
data and open-source tools to “hunt on the cheap.” They’ll explain how to: retrieve attackers’ tools from globally distributed honeynets that look like your organization or a juicy launching
point to attackers; enrich the data past basic file/tool hashes to identify malicious command and control IPs/domains through automated binary analysis using open-source sandboxes and tools; and use passive DNS data to identify active infections and enrich existing data sets. Attendees will learn how to apply these three techniques to hunt for adversaries within their own
networks. They will also learn about the various open-source solutions available, such as graph databases, that make these techniques inexpensive and within the scope of many organizations.
Anjum Ahuja, Senior Threat Researcher, Endgame
Jamie Butler, Chief Scientist, Endgame
Andrew Morris, Threat Researcher, Endgame
18 September 2017 - ION Malta
DNSSEC helps prevent attackers from subverting and modifying DNS messages and sending users to wrong (and potentially malicious) sites. So what needs to be done for DNSSEC to be deployed on a large scale? We’ll discuss the reasons for deploying DNSSEC, examine some of the challenges operators have faced, and address those challenges and move deployment forward.
-IoT Security is a Safety/Privacy Issue
-Consider the devices you bring into your home and to work
Video Links:
-Hue: https://www.youtube.com/watch?v=7TOsFqqJgj4
-Slow Cooker: https://www.walmart.com/ip/BLACK-DECKER-WiFi-Enabled-6-Quart-Slow-Cooker/128745799
-Smart Toilet: https://www.youtube.com/watch?v=HyZ7S4fE5v4
DEF CON 27 - D4KRM4TTER MIKE SPICER - I know what you did last summerFelipe Prado
This document provides an overview and background of a wireless security researcher known as the WiFiCactus. It summarizes their interests and work analyzing wireless networks at DEFCON and other conferences over the years, including wardriving experiments and building tools to analyze large datasets captured from wireless monitoring. It also shares some findings from analyzing these datasets, such as visualizing the locations of detected devices and instances where APIs or software leaked private information over wireless networks.
Solving the Visibility Gap for Effective SecurityLancope, Inc.
Network visibility is a vital component of an effective security strategy, but many organizations lack the ability to identify threat activity in their environment. At Cisco, we have assessed the networks of thousands of organizations, and in nearly every instance, we discovered undocumented hosts, risky user behavior, or malicious activity.
Whether it is rogue servers, unauthorized connections, or ongoing data breaches, we’ve harnessed the power of network visibility to identify a variety of suspicious and malicious activity. Now let us share our knowledge with you.
Join Jeff Moncrief, Systems Engineering Manager at Cisco, to learn:
- The reality of how vulnerable enterprise networks are from endpoint to edge
- The security benefits of end-to-end network visibility
- Common problems solved with network visibility
- Stories of real-life threats hidden on networks we’ve assessed
- How to turn your network into a security sensor to gain critical visibility and threat detection capabilities
Touring the Dark Side of Internet: A Journey through IOT, TOR & DockerAbhinav Biswas
With the advent of IOT, Every 'Thing' is getting Smart, starting from the range of smartwatches, smart refrigerators, smart bulbs to smart car, smart healthcare, smart agriculture, smart retail, smart city and what not, even smart planet. But why is every thing getting smart? People are trying to bridge the gap between Digital World & Physical World by means of ubiquitous connectivity to Internet, and when digital things become physical, digital threats also become physical threats. Security & Privacy issues are rising as never before. What if the microphone in your smart TV can be used to eavesdrop the private communications in your bed room? What if a smart driverless car deliberately crashes itself into an accident? What if you want to be Anonymous over Internet and don't want anybody to track you?
This talk will focus on answering the above questions with a view on 'What are we currently doing to protect ourselves' and 'What we need to do'. What are the new security challenges that are coming up and how privacy & anonymity is taking the lead over security. The talk will also sensitive the audience about the paradigm shift that is happening in IOT DevOps, with help of Docker Containers and how they can be anonymised using TOR.
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...EC-Council
This document discusses strategies for reducing DNS data leakage and protecting online privacy. It begins with an introduction and overview of topics to be covered, including why DNS data is important from a privacy perspective, common DNS privacy exploits, insecure DNS resolution processes, and solutions for anonymizing DNS data like DNS over HTTPS and DNS over TLS. The document provides details on how DNS data can be tracked and leaked, as well as tools and techniques for analyzing DNS traffic and protecting privacy, including public secure resolvers, browser-based protections, VPNs, and running one's own recursive resolver. It concludes with taking privacy to varying degrees and balancing privacy with usability.
IPv6-Experte Joe Klein gab uns einen Überblick über den aktuellen Status der IPv6-Sicherheit, typische IPv6-Angriffspunkte, Auswirkungen von Technologien wie Cloud und Blockchain sowie Herausforderungen für effektive IoT-Sicherheitsmassnahmen (Internet of Things). Vor allem im Internet der Dinge, wenn es um Gesundheitsversorgung, selbstfahrende Autos, Flugzeugcockpits, Dämme, Kernkraftwerke und ähnliche kritische Infrastrukturen geht, ist es von entscheidender Bedeutung, dass Sicherheit gewährleistet werden kann.
Internet of Things (IoT) Affordable & Fast Semi-Custom ASIC SolutionsTriad Semiconductor
Hype wave - Internet of Things (IoT) is IT right now...
The IoT is all about things being connected. Well, last time I check the Internet part of IoT was pretty well established (thank you Al Gore). And Bluetooth 4.0 (BLE or Bluetooth Low Energy) has made the 'of' part of IoT pretty ubiquitous. I refer to the 'of' in IoT as the connecting of sensors (things) to the Internet. With the 'I' and the 'o' of IoT well in hand, this presentation shows you how to integrate sensors, actuators and all the electronics of THINGS (the 'T' of IoT) into small and affordable semi-custom ASICs called ViaASICs from Triad Semiconductor. Watch the presentation and learn how to make mixed-signal application specific integrated circuits (ASICs) for a fraction of the cost and time you would have though possible. Stealing thunder here but the presentation will show you how to design and fabricate a ViaASIC from Triad Semiconductor for less than $10,000 and get it done in 3-5 months...
MongoDB World 2018: Enterprise Security in the CloudMongoDB
This document discusses enterprise security in the cloud. It covers identity and access controls, auditing, and encryption. For identity and access, it describes secure access controls like multi-factor authentication, role-based access controls, and dedicated virtual private clouds (VPCs). For auditing, it outlines activity logs, monitoring and alerts, and a real-time activity panel. For encryption, it discusses key management, different encryption service levels, and key service differences between AWS, GCP and Azure.
MongoDB World 2018: Enterprise Cloud SecurityMongoDB
This document discusses enterprise security in the cloud. It covers identity and access controls, auditing, and encryption. For identity and access, it describes secure access controls like multi-factor authentication, role-based access controls, and dedicated virtual private clouds (VPCs). For auditing, it outlines activity logs, monitoring and alerts, and a real-time activity panel. For encryption, it discusses key management, different encryption service levels, and key service differences between AWS, GCP and Azure.
This document provides a summary of a presentation titled "Ride the Light: A guide to the internet, telephony and computer technology in the 21st century." The presentation covers topics such as core computing values, telephony, internet technology, IP addressing, internet security and abuse. It includes details on technologies like dial-up, DSL, T1 lines, routing registries, RFCs, subnetting, internet threats and solutions, and recommended websites for further information.
Jon Noble. Jon will give a brief overview of why you should consider security as part of your CloudStack deployment, why your approach to security needs to be different than in a traditional environment, and also talk about some of the motives behind the attacks – why they attack you and what they do once they have compromised a system.
My presentation at HackCon 7 Oslo, exploring where the world of information security is headed. Crude vs. stealthy exploit techinques, the underground digital economy, failure of anti-virus, the future of web application security and the (de)evolution of browsers and HTTP.
Mining software vulns in SCCM / NIST's NVDLoren Gordon
Patch management for 3rd-party software can be a significant challenge. The raw data for effective vulnerability management is available in MS’ SCCM (software inventory) and NIST’s NVD (vulnerability database). However extracting the relevant information from complex, sometimes undocumented data structures poses significant challenges.
The stage is set with a brief overview of SCCM / NVD data structures as well as a look at a (non-typical but interesting!) production environment. Then we’ll take a quick dive into data wrangling / Machine Learning fundamentals applied to this problem: feature extraction, choice of approach, algorithm choice and turning.
Once the technical challenges are resolved, the path to “Data Nirvana” can still be strewn with significant non-technical hurdles to overcome as well. We will discuss some practical “been there, done that” examples.
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
Cloud hosting providers, such as Amazon AWS, Google Cloud, DigitalOcean, Microsoft Azure, and many others, have to respond to a regular barrage of abuse complaint reports from all around the world when their customers virtual private servers are used for malicious activity. This activity can happen knowingly by the "renter" of the system or on behalf of an attacker if the server becomes infected. Although by no means the end all, one way of measuring the trust posture of a cloud hosting provider is by analyzing the amount of time between shared hosts beginning to attack other hosts on the Internet and the activity ceasing, generally by way of forced-decommissioning, quarantining, or remediation of the root-cause, such as a malware infection. In this talk, we discuss using the data collected by GreyNoise, a large network of passive collector nodes, to measure the time-to-remediation of infected or malicious machines. We will discuss methodology, results, and actionable takeaways for conference attendees who use shared cloud hosting in their businesses.
This document discusses using cloud computing for CCTV video surveillance. Some key points:
- Cloud infrastructure reduces the need for in-house IT resources and provides scalability, reliability and cost savings compared to on-premise systems.
- However, storing and transferring raw CCTV video data to the cloud is not viable due to the huge size of video files and bandwidth limitations.
- Instead, "smart cameras" can analyze video locally to extract metadata and detect meaningful events, only transferring thumbnail images or short clips to reduce transmitted data.
- This approach filters data similar to how particle physics experiments filter collision data from the LHC to identify rare events like the Higgs boson. Centralized cloud indexing and
1. Monetize the Noise: How Naming data
junk became a security data treasure
Paul Sitowitz & Scott King Walker
September 28th, 2015
2. Verisign Confidential and Proprietary
Reduce, Reuse, Recycle
2
• Restore
• Repurpose
• Remake
• Reinvent
• Reimagine
Image by Jakub Jankiewicz (jcubic / Kuba)
(Open Clip Art Library, detail page) CC0, via
Wikimedia Commons
3. Verisign Confidential and Proprietary
Noise, Noise, Noise, and Pigeon Droppings
• Excerpt is from: Wired Magazine, “Accept Defeat: The
Neuroscience of Screwing Up” by Jonah Lehrer, 12.21.09.
• http://www.wired.com/2009/12/fail_accept_defeat/
3
4. Verisign Confidential and Proprietary
Junk & Noise
• These are the unwanted things that we usually discard or
else try to block out
• Junk
• Trash
• Unused items
• Not needed items
• Useless items
• Not liked items
• Noise
• Loud sounds
• Interference
• Malicious signals
• Harmful irritants
• Bad smells
4
5. Verisign Confidential and Proprietary
Noise in our Data
• "Photon-noise" by Mdf - Photon-noise.jpg. Licensed under CC BY-SA 3.0 via Wikimedia Commons -
https://commons.wikimedia.org/wiki/File:Photon-noise.jpg#/media/File:Photon-noise.jpg
5
6. Verisign Confidential and Proprietary
Data Analyzer, and Signal from Noise
• YXD
• NXD
• Resolution Success = Signal
• Resolution Failure = Noise (or does it?)
• The Data Analyzer product is based on
finding signal in this noise.
6
7. Verisign Confidential and Proprietary
Looking at NXDs
• When a Name Server can not resolve a domain, an NXD
response is returned
• This data is typically discarded as “junk”
• Data Analyzer analyzes this data to identify domains
• with sufficient traffic
• requested during business hours
• requested from specific locations around the world
• … and many other desirable characteristics (like clickable traffic)
• We rate and score these NXDs (from 1 to 10) and allow
our customers to query them
7
8. Verisign Confidential and Proprietary
NXD Domains
• Sample of NXDs with sufficient traffic (according to DA):
• GENTLEMANMILLION.NET
• CDSYHD.NET
• SILVERHORSETRADER
• A2VERISIGNDNS.COM
• SARAH.COM
• 3RDBILLION.NET
• XN--JJEEP-3F5FW08B.COM
• PAULHUNTHOMES.COM
• CAT-HUSE
• SCOTTSTORAGE2.COM
• MANNYSGOLFWORLD.COM
8
9. Verisign Confidential and Proprietary
EDAS Record Format
• The NXD DNS traffic data available to Verisign is stored in
the EDAS record format
• A single EDAS formatted record contains:
• The Requesting IP (recursive name server)
• The Requested Domain including TLD (up to 3rd level)
• The time of day that the request was made
• The Site name were they request was received
• The DNS Record Type for the request (typically A and AAAA)
9
10. Verisign Confidential and Proprietary
Big Data
• NXD request data is captured by the Traffic Monitoring
team from our Edge sites for COM/NET/CC/TV
• Comprises 90% of NXD traffic
• The data is then ingested into the VSCC
• an average of 300 Gigabytes each day
• Data Analyzer allows customers to query up to 26 weeks
of raw NXD data
• That’s 42.2 Terabytes of data needed by a single
customer query
• If we factor in a 3X replication model used by the VSCC at
both the BRN and ILG sites, that adds up to about 250
Terabytes of raw storage!!!
10
11. Verisign Confidential and Proprietary
Query Processing Time
• A 26 week queryon raw NXD data can take more than 8
hours to complete
• And that’s running across more than a hundred powerful
data node machines in the VSCC
• With this in mind, the Data Analyzer product also stores
60 days of aggregated data for our Complete Index in
order to add more value with less time needed to produce
results
• Our indexes take a few hours every night to build
• This index based data supports very flexible filter based
queries
11
12. Verisign Confidential and Proprietary
Noisy Data
• With so much data comes the potential for a lot of noise:
• But what kinds of noise?
• How much noise?
• How can we find this noise?
12
13. Verisign Confidential and Proprietary
Finding Noise in the NXD Data - Sample 100K
13
0
10000
20000
30000
40000
50000
60000
70000
80000 1
2327
4653
6979
9305
11631
13957
16283
18609
20935
23261
25587
27913
30239
32565
34891
37217
39543
41869
44195
46521
48847
51173
53499
55825
58151
60477
62803
65129
67455
69781
72107
74433
76759
79085
81411
83737
86063
88389
90715
93041
95367
97693
Classic hockey stick pattern, very dramatic, but nothing to see here. Right?
14. Verisign Confidential and Proprietary
Top 1K NXD domains from 100K Sample
14
0
10000
20000
30000
40000
50000
60000
70000
80000 1
24
47
70
93
116
139
162
185
208
231
254
277
300
323
346
369
392
415
438
461
484
507
530
553
576
599
622
645
668
691
714
737
760
783
806
829
852
875
898
921
944
967
990
“Gap” – No domains with request frequencies between 9918 and 2820 in sample.
15. Verisign Confidential and Proprietary
The Spike
• The large “spike” in the previous graphs show an
unusually large number of NXD requests
• Do we give these NXDs real high scores since they get
lots of traffic?
• Or is this just plain noise in our data that we should
discard?
• It also turns out that these large requests also exhibit
similar request traffic patterns
• We believe that these requests are from “Botnets”
15
16. Verisign Confidential and Proprietary
The Botnet Problem
Traffic from Botnets is:
• Automatic, behind the scenes Traffic
• From infected computers
• Algorithmically generated based on time/date
Traffic from Botnets can be detected by:
• High traffic levels from consistent sets of recursive name servers
• Lack of traffic from other name servers
16
0
10000
20000
30000
40000
50000
60000
70000
80000
1
37
73
109
145
181
217
253
289
325
361
397
433
469
505
541
577
613
649
685
721
757
793
829
865
901
937
973
17. Verisign Confidential and Proprietary
What Are Botnets
• Enable most sophisticated and popular types of
cybercrime today
• They allow hackers to take control of many computers at
a time which operate as part of a powerful "botnet”
• Many of these computers are infected without their
owners knowledge
• Bots often spread themselves across the Internet by
infecting unprotected computers
• Their goal is to stay hidden until they are instructed to
carry out a task by a Command and Control server
17
18. Verisign Confidential and Proprietary
About Botnets
• Botnets use an algorithm for generating domain names to
make it difficult to identify. While many may be NXDs,
some are not
• These Botnet domains, if registered, would connect a
Botnet to a Command and Control server that issues
instructions to commit attacks
• Botnets are just “zombie” machines without C&C servers
to tell then what to do
18
19. Verisign Confidential and Proprietary
Botnet Detection
• NXDs with very large amounts of traffic and that exhibit
similar traffic patterns are most likely NOT requested by
humans
• These domains are classified by the Botnet Detection
Service (BDS) as “suspicious” and the requests are
considered to be from “botnets”:
19
CDSYHD.NET
A2VERISIGNDNS.COM
3RDBILLION.NET
PAULHUNTHOMES.COM
SCOTTSTORAGE2.COM
GENTLEMANMILLION.NET
CDSYHD.NET
SILVERHORSETRADER
A2VERISIGNDNS.COM
SARAH.COM
3RDBILLION.NET
XN--JJEEP-3F5FW08B.COM
PAULHUNTHOMES.COM
CAT-HUSE
SCOTTSTORAGE2.COM
MANNYSGOLFWORLD.COM
20. Verisign Confidential and Proprietary
About BDS
• Implemented using Hadoop streaming and the Mahout
machine learning library
• Identifies similar NXD traffic patterns across many
different name servers
• Runs once a day at 4:30pm EST
• Analyzes 1 day of NXD data for COM/NET/CC/TV and
produces a “suspicious” domains list
• Collects the past 60 days of suspicious domains and
publishes the unique collection to an HDFS folder in the
VSCC
• Exposed to other products via a DAG data retrieval API
20
21. Verisign Confidential and Proprietary
A Patented Technology
• https://www.google.com/patents/US8745737
21
22. Verisign Confidential and Proprietary
DA Use Case of BDS
• Prevent promotion of these suspicious domains to our
customers
• Provides two major benefits:
• Customers benefit by not registering domains with high traffic that
won’t see human traffic
• System efficiency benefit of less domains to query from
22
23. Verisign Confidential and Proprietary
Monetize the Noise
• Remember that “One engineer’s noise is another
engineer’s signal.”
• The effort to make use of the BDS data earlier this year
started with a joke of an idea. It was something like: “If
we know what domains the infected computers are
looking for, we could register those domains, take over
their botnets and use them for ourselves!”.
• (Probably not really, because they tend to use encrypted
instructions to prevent this, but maybe.)
23
24. Verisign Confidential and Proprietary
Monetize the Noise
This silly starting point lead down a list of other options:
• Prevent the registration of these domains to clean up
.COM and .NET
• Sell the data to a security company so they could pay to
block traffic to these domains.
• Use the data itself to target the companies that most
desperately need the blocking service.
24
25. Verisign Confidential and Proprietary
How the connection happened
• Eventually, we found a security company interested. You
may have heard of them… Verisign.
• Paul had a discussion about BDS with Jim Gould who
asked him to present it at a PESAB meeting. That lead to
an engineering to engineering discussion about the
usefulness to the security side of the business.
• Once the engineering feasibility was in place, we had their
product people talk to our product people, and the security
use of the data was quickly approved.
• Takeaway is: “Don’t let the organizational structure stand
in the way of a good use for your data.”
25
26. Verisign Confidential and Proprietary
Current Usage
• Data Analyzer uses these domains as a “black list” to filter
them out of our indexes to prevent us from ever returning
to our customers in order to help prevent potential
registration
• Recursive DNS uses these to ensure that resolution
requests for them are ignored to prevent potential “botnet”
transmissions
• How else might we use the suspicious Botnet domain list?
26
27. Verisign Confidential and Proprietary
Future work
• BDS data from DA could be used in several ways within
the company to improve security products. Blocking
traffic within the Recursive service is just one use.
• How about:
• Selling BDS data feed as a standalone or add-on security product.
• Using traffic to BDS domains to prioritize Recursive sales leads.
• Using BDS domains within a Recursive appliance to identify
infected computers on a network. (Don’t just block, disinfect!)
27
28. Verisign Confidential and Proprietary
Going Further
• block the registration of these suspected domains in Core
• use the registration attempts to identify criminals
• While our Botnet domain list only comprises
COM/NET/CC/TV domains, we can use BDS for other
TLDs
• Maybe a service we could provide to other registries
28
30. Verisign Confidential and Proprietary
Digging Deeper
30
Subnet
Total
Requests
ASN
12.45.69 1350 AS8075
243.10.19 2354 AS15169
111.48.23 3487 AS20013
5.298.43 7812 AS13238
189.165.221 2834 AS30083
17.12.187 12128 AS15169
Country
US
US
CH
FR
NL
US
Total
Unique
Recursives
23
12
56
5
134
45
View
Recursives
Subnet
Total
Requests
ASN
12.45.69 1350 AS8075
243.10.19 2354 AS15169
111.48.23 3487 AS20013
5.228.43 7812 AS13238
189.165.221 2834 AS30083
17.12.187 12128 AS15169
Country
US
US
CH
FR
NL
US
Total
Unique
Recursives
23
12
56
5
134
45
View
Recursives
Subnet
Total
Requests
ASN
12.45.69 1350 AS8075
225.10.19 2354 AS15169
111.48.23 3487 AS20013
5.228.43 7812 AS13238
189.165.221 2834 AS30083
17.12.187 12128 AS15169
Country
US
US
CH
FR
NL
US
Total
Unique
Recursives
23
12
56
5
134
45
View
Recursives
31. Verisign Confidential and Proprietary
Infection Detection
• With the help from a Recursive Server appliance that
captures the IPs of the original requests
• We can track back from the Recursive server to the actual “Bots!”
• If we can find these Bots then we can help to shut them down
• Another possibility might be to include the IP of the actual
requesting machines inside the DNS messages using the
EDNS0 - Extension mechanisms for DNS
• Allow for storing more information in DNS messages
• Is currently used in about 10% of DNS messages to enable things
like GEO location
31
32. Verisign Confidential and Proprietary
Information Gathering
• So far, since the suspected domains have all been NXDs,
the intended C&C servers have not yet been registered
• We can use BDS to identify suspected domains based on
YXD traffic data that point to real, live C&C servers
• While the BDS algorithm would definitely work on YXD
data, we might have some challenges:
• TTL based caching by resolvers
• Frequent IP switching for C&C server domains to avoid detection
32
33. Verisign Confidential and Proprietary
Taking Down C&C servers
• If we can identify the domains for suspected live C&C
servers, perhaps we can:
• Block DNS resolution on EDGE and Electra servers
• Use ‘Core” to suspend the registration for these domains so they
appear “out of zone”
• Fine registrars
• Go after domain owners
• While a service to the entire internet, there most likely
would be legal implications in any of the above
33
34. Verisign Confidential and Proprietary
Room For Improvement
• While a great service, BDS does help out with Botnet
transmissions that are NOT DNS based
• add support for IPV6 traffic
• add monitoring to track the rate of false positives
• use for analyzing traffic data for other TLDs
• use for analyzing YXD traffic data
• Potentially look at additional data points in the AVRO
summary feed currently used by the Real-Time cluster
(RTC) and soon to be used as a replacement for the
existing Traffic Monitor feed (end Q2 next year)
• Will also include traffic data from our Electra sites
• And the missing 10% of NXD traffic data!
34
35. Verisign Confidential and Proprietary
Eureka!
• Excerpt is from: Wired Magazine, “Accept Defeat: The
Neuroscience of Screwing Up” by Jonah Lehrer, 12.21.09.
• http://www.wired.com/2009/12/fail_accept_defeat/
35
36. Verisign Confidential and Proprietary
Takeaways
• Your Noise could be MY signal
• Reimagine and Reuse & Find reasons to Keep more of
your data
• Find more Value & Throw more effectively
• Don’t let the organization stand in the way
36
Scott: You have heard the saying “One’s man’s junk is another man’s treasure”. Today, we are going to show you how “One engineer’s noise is another engineer’s signal”.
You have heard of “Reduce, Reuse, Recycle”. For Keepers, or “Packrats” as some of the Thowers call us, its more like “Reduce, Reuse, Restore, Repurpose, Remake, Reinvent, Reimagine, Re-gift, Recycle”. I will Re-almost-anything, as long as I don’t need to just throw away something that might someday have some value.
Scott: I am by nature a Keeper. I hate throwing anything out, if I think I can possibly find some value in it. Today’s presentation is about 3 different times when the “Keeper” was vindicated because value was found in data that was being thrown out.
Scott reads:
It all started with the sound of static. In May 1964, two astronomers at Bell Labs, Arno Penzias and Robert Wilson, were using a radio telescope in suburban New Jersey to search the far reaches of space. Their aim was to make a detailed survey of radiation in the Milky Way, which would allow them to map those vast tracts of the universe devoid of bright stars. This meant that Penzias and Wilson needed a receiver that was exquisitely sensitive, able to eavesdrop on all the emptiness. And so they had retrofitted an old radio telescope, installing amplifiers and a calibration system to make the signals coming from space just a little bit louder.
But they made the scope too sensitive. Whenever Penzias and Wilson aimed their dish at the sky, they picked up a persistent background noise, a static that interfered with all of their observations. It was an incredibly annoying technical problem, like listening to a radio station that keeps cutting out.
At first, they assumed the noise was man-made, an emanation from nearby New York City. But when they pointed their telescope straight at Manhattan, the static didn’t increase. Another possibility was that the sound was due to fallout from recent nuclear bomb tests in the upper atmosphere. But that didn’t make sense either, since the level of interference remained constant, even as the fallout dissipated. And then there were the pigeons: A pair of birds were roosting in the narrow part of the receiver, leaving a trail of what they later described as “white dielectric material.” The scientists evicted the pigeons and scrubbed away their mess, but the static remained, as loud as ever.
For the next year, Penzias and Wilson tried to ignore the noise, concentrating on observations that didn’t require cosmic silence or perfect precision. They put aluminum tape over the metal joints, kept the receiver as clean as possible, and hoped that a shift in the weather might clear up the interference. They waited for the seasons to change, and then change again, but the noise always remained, making it impossible to find the faint radio echoes they were looking for. Their telescope was a failure.
Paul Speaking
SITTING IN A CROWDED THEATRE AT THE MUCH ANTICIPATED SUMMER BLOCKBUSTER AND A BABY IN THE NEXT ROW IS SCREAMING AND CRYING
THAT YUCKY STUFF i SCOOP OUT OF MY CAT YODA’s LITTER BOX EVERY MORNING FOR THE PAST 18 YEARS
YOUR WIFES FAVORITE CHINA THAT IS NOW IN PIECES ALL OVER THE KITCHEN FLOOR
ALLTHOSE BANANA PEELS YOU’VE TOSSED OUT OVER THE YEARS
THAT HORRIBLE SMELL THAT CAUSED YOU AND YOUR BROTHER TO COVER YOUR FACES THAT SUMMER WHEN THE FAMILY VISITED YELLOWSTONE NATIONAL PARK
AND LET’S NOT FORGET THAT NEW 75’’ CURVED 4k ULTRAHIGH DEF TV WITH THE FOOTBALL SIZE HOLE IN THE MIDDLE OF THE SCREEN
Scott Speaking
As Engineers and Scientists, noise in our data is a huge problem. We want our data to show us a clear picture like the bottom right. If we can’t get that, we at least want something in the middle row. Too often, our data looks like the top row. We are squinting at it to try to make any sense out of what it is.
Scott:
At Verisign, we wholesale domain names and provide resolution for them.
On the resolution side, counts of successful resolutions are the signal. That’s “YXD” traffic, or “Yes eXistant Domain”.
We also get a lot of “junk” traffic for “Non eXistant Domains”, or NXDs.
The Data Analyzer product is based on this first layer of junk. People are clicking on links, or typing names into browsers expecting that domains are going to exist. When they don’t, they get an error page in their browser, or their mail bounces, or they get some other form of error.
If you are interested in buying domains to serve a few web ads to these people, these domains are gold. For Verisign, it is an opportunity to sell a domain that would otherwise remain unsold.
Paul Speaking
YOU TYPE IN A MISPELLED SITE NAME INTO YOUR LEAST FAVORITE BROWSER (YOU KNOW, THE ONE THAT DOESN’T RUN ON A MAC) AND YOU GET BACK THAT UNFRIENDLY MESSAGE “THIS WEBPAGE IS NOT AVAILABLE”
WHAT REALLY HAPPENS BEHIND THE SCENES IS THAT A NAME SERVER COULN’T RESOLVE THE MISPELLED DOMAIN NAME AND INSTEAD OF RETURNING AN IP ADDRESS, A NON-EXISTENT-DOMAIN-NAME, OR NXD, RESPONSE IS RETURNED
TO MOST OF US, NXD RESPONSES ARE JUST PLAIN “JUNK”
BUT TO DATA ANALYZER, WE TEND TO SEE VERY MUCH MORE. WE ANALYZE THIS DATA TO IDENTIFY AVAILABLE DOMAINS WITH:
EXISTING TRAFFIC
REQUESTED DURING BUSINESS HOURS
REQUESTED FROM SPECIFIC LOCATION FROM AROUND THE WORLD
AND MANY OTHER DESIRABLE CHARACTERISTICS
WE RATE AND SCORE THESE NXD’s FROM 1 TO 10 WITH HOPES OF GETTING CONVERSIONS DUE TO REGISTRATIONS
Paul:
HERE ARE SOME SAMPLE NXD’s WITH SIGNIFICANT EXSITING TRAFFIC
SOME LOOK LIKE GARBAGE WHILE OTHERS LOOK LIKE YOU MAY WANT TO REGISTER.
LIKE THE ONE THAN SPELLS MY YOUNGEST DAUGHTERS NAME
PAUL
PAUL
ingested by a Data Architecture Group (DAG) process into the Verisign Compute Cluster (VSCC)
PAUL
Partial Index - 1 day of aggregated NXD data
Complete index – 60 days of aggregated data from 60 Partial Indexes
Query by GEO code, score, time of day, etc
PAUL
Scott:
Data Analyzer is a fairly mature product. When it was first developed, there was a major problem with the data. The domain-investors (or “Domainers”) don’t actually care about NXD traffic. They want to know what domains they can register so that their ads are seen by the most people. They may also care about the ads being clicked on by real people.
In the graph above, it turns out that many of the most frequent NXD domains are not being visited by people at all. There was something wrong here. Without removing the noise, DA customers would assume that they should buy the wrong domains. If DA made suggestions that consistently didn’t work out, people would give up on it, and wouldn’t buy as many of these domains. So, what was wrong?
Botnets!
Scott:
Data Analyzer is a fairly mature product. When it was first developed, there was a major problem with the data. The domain-investors (or “Domainers”) don’t actually care about NXD traffic. They want to know what domains they can register so that their ads are seen by the most people. They may also care about the ads being clicked on by real people.
In the graph above, it turns out that many of the most frequent NXD domains are not being visited by people at all. There was something wrong here. Without removing the noise, DA customers would assume that they should buy the wrong domains. If DA made suggestions that consistently didn’t work out, people would give up on it, and wouldn’t buy as many of these domains. So, what was wrong?
Botnets!
Paul:
It turns out that many (but not all) of the most requested domains are popular only because vast networks of infected computers are checking for Command and Control instructions. These domain names often look like nonsense that a human would never type.
The point is that by identifying the pattern of traffic, we were able to more effectively filter it out of the DA data.
Paul Speaking
AN ARMY OF INFECTED COMPUTERS THAT ACT LIKE “ZOMBIES” AND JUST SIT THERE, HIDDEN FROM THEIR OWNERS, WAITING FOR INSTRUCTIONS FROM A CENTERAL C&C SERVER THAT ISSUE COMMANDS FOR THESE “BOTS” TO WORK TOGETHER AND LAUNCH CYBERCRIMINAL ATTACKS
DENIAL OF SERVICE
SEND SPAM
SPREAD VIRUSES
AND OTHER SOPHISTICATE AND POPULAR CYBERCRIMES
MANY OF THESE “BOTS” ARE INFECTED WITHOUT THEIR OWNERS EVER EVEN KNOWING
Paul:
BOTNETS EITHER GENERATE NON_EXISTENT DOMAIN NAMES BASED ON AN ALGORTHIM OR ELSE CYCLE THROUGH A LIST OF UNREADABLE DOMAIN NAMES
WITH THE HOPE THAT AT LEAST ONE WILL GET REGISTERED AND CONNECT THESE BOTS TO A “BOT MASTER”” OR C&S SERVER
TO NOTE: IF THESE DOMAINS ARE NEVER REGISTERED, THEN THESE BOTNETS WILL JUST REMAIN A BUNCH OF “ZOMBIES”
Paul
GETTING BACK TO THAT HUGE TRAFFIC SPIKE…..
THESE ARE MOST LIKELY NOT REQUESTED FROM HUMANS
THESE INSTEAD ARE CLASSIFIED BY THE BOTNET DETECTION SERVICE (BDS) AS “SUSPICIOS” AND CONSDIERED TO BE FROM BOTNETS
PAUL
Paul
THE BOTNET DETECTION SERVICE, or BDS, IS ONE OF THE SERVICES OFFERED WITH THE DATA ANALYZER PRODUCT AND IS BASED ON REAL-PATENTED TECHNOLOGY BOTH INVENTED AND OWNED BY VERISIGN
PATENT FILED IN 2011 AND GRANTED IN 2014
WILL THE INVENTORS PLEASE RAISE YOUR HANDS?
Paul
PREVENT PROMOTION OF THESE SUSPICIOS DOMAINS TO OUR CUSTOMERS
CUSTOMER BENEFIT – NOT REGISTERING NXD’S THAT WON”T SEE HUMAN TRAFFIC
SYSTEM BENEFIT – LESS OVERALL DOMAINS TO HAVE TO QUERY FROM
Scott
Scott:
Scott
Paul injects: I HAD A HALL WAY CONVERSATION WITH JIM GOULD ABOUT THE NEW STAR WARS MOVIE COMING OUT (WE ORIGINALLY WENT TO SEE THE MIDNIGHT SHOWING OF EPISODE1 SOME MANY YEARS AGO) AND I HAPPEN TO MENTION SOME COOL STUFF REGARDIJNG HOW WE IDENTIFY BOTNET DOMAINS AND MAYBE USING THEM TO IDENTIFY INFECTED NETWORKS. JIM SUGGESTED THAT I PRESENT THIS AT THE NEXT PESAB MEETING
THIS LEAD TO ENGINEERING TO ENGINEERING DISCUSSIONS ABOUT THE USEFULNESS TO THE SECURITY SIDE OF THE BUSINESS
PAUL
CURRENTLY, THE SUSPICIOUS DOMAINS LIST IS BEING USED
BY DATA ANALYZER AS A BLACKLIST TO PREVENT PROMOTION OF THESE TO OUR CUSTOMERS
BY RESURSIVE DNS TO IGNORE RESOLUTION REQUESTS FOR THESE AND PREVENT POTOTENTIAL BOTNET TRANSMISSIONS
HOW ELSE MIGHT WE USE THIS DATA?
Scott
Paul:
BLOCK REGISTRATIONS IN CORE
USE REGISTRATION ATTEMPTS TO IDENTIFY AND TRAP CRIMINAL (LIKE A HONEY POT)
SUPPORT OTHER TLDs THAT WE HAVE TRAFFIC DATA FOR
PROVIDE AS A SERVICE FOR OTHER REGISTRIES
Paul
IT COULD BE USEFUL TO PROVIDE WAYS TO IDENTIFY IMPORTANT INFORMATION ABOUT THE BOTNET REQUESTS
A POTENTIAL UI SCREEN TO DEEP DIVE INTO THE DATA RELATED TO THE BOTNET DOMAINS
TOTAL REQUESTING ASNS, MOST REQUESTING ASN’S, MOST REQUESTING COUNTRIES, REQUEST TIMELINE. TOTSL REQUESTS, TOTAL REQUESTING RECURSIVES
SEARCH THROUGH THE DATA BY ASN, COUNTRY, IP ADDRESS, SUBNET… AND THEN DIVE DOWN FURTHER
Paul
LOOK AT SUBNETS WITH MANY REQUESTS, IDENTIFY THE CORRESPONDING ASN and COUTRY, TOTAL OVERALL REQUESTS AND TOTAL UNIQUE NAME SERVER REQUESTS
Paul
BDS LIMITS US TO THE IP OF THE REQUESTING RECURSIVE SERVERS
BUT, WITH THE USE OF A RECURSIVE SERVER APPLIANCE THAT CAPTURES THE IPs OF THE ORIGINAL REQUESTS,
WE CAN IDENTIFY TO BOTS THEMSELVES!!!!!!!!
Paul:
SO BDS GET US AS FAR AS THE REQUESTING RECURSIVES.
A RECURSIVE SERVER APPLIANCE MAY HELP TO IDENITFY THE ACTUAL BOTS
TO BE VERY EFFECTIVE, WE WOULD NEED TO IDENTIFY THE C&C SERVERS THEMSELVES SO THAT WE CAN CUT THE BOTS OFF FROM THEIR MASTER
WE CAN DEFINITELY USE BDS ON YXD DATA
IN ADDITION TO CHALLENGES DUE TO RESOLVER CACHING, THE C&C SERVERS OFTEN CHANGE THEIR IP ADDRESS TO AVOID DETECTION
Paul:
BLOCK DNS RESOLUTION OF THESE AT THE EDGE AND ELECTRA SITES
SUSPEND REGISTRATION SO DOMAINS APPEAR OUT OF ZONE
PAUL
Scott reads:
For the radio astronomers, the breakthrough was the result of a casual conversation with an outsider. Penzias had been referred by a colleague to Robert Dicke, a Princeton scientist whose training had been not in astrophysics but nuclear physics. He was best known for his work on radar systems during World War II. Dicke had since become interested in applying his radar technology to astronomy; he was especially drawn to a then-strange theory called the big bang, which postulated that the cosmos had started with a primordial explosion. Such a blast would have been so massive, Dicke argued, that it would have littered the entire universe with cosmic shrapnel, the radioactive residue of genesis. (This proposal was first made in 1948 by physicists George Gamow, Ralph Alpher, and Robert Herman, although it had been largely forgotten by the astronomical community.) The problem for Dicke was that he couldn’t find this residue using standard telescopes, so he was planning to build his own dish less than an hour’s drive south of the Bell Labs one.
Then, in early 1965, Penzias picked up the phone and called Dicke. He wanted to know if the renowned radar and radio telescope expert could help explain the persistent noise bedeviling them. Perhaps he knew where it was coming from? Dicke’s reaction was instantaneous: “Boys, we’ve been scooped!” he said. Someone else had found what he’d been searching for: the radiation left over from the beginning of the universe. It had been an incredibly frustrating process for Penzias and Wilson. They’d been consumed by the technical problem and had spent way too much time cleaning up pigeon shit — but they had finally found an explanation for the static. Their failure was the answer to a different question.
And all that frustration paid off: In 1978, they received the Nobel Prize for physics.
Scott:
If you have data, we have shown you the value of looking at your data, particularly at the “noise” in your data” in a new way.
If you are a “Keeper” at heart, we have given you encouragement for how to reimagine and reuse some of your data.
If you are more inclined to throw things out, maybe, just maybe, you will take another look at what data you are throwing away and find some additional value within it. At the very least, you now know that by identifying what your “noise” means, you can more effectively throw it away.
Take Questions on this slide.