Domain Generation Algorithms (DGAs) and DNS provide a layer of resilience to botnets and malware. They also provide new and novel ways to monitor and surveil malicious networks. This talk will discuss methods you can use to turn DGAs and DNS against malware operators in order to better protect your enterprise.
Talk given at PHDAYS V in Moscow, May 2015.
This talk will focus on a research into Domain Generation Algorithms used in several malware families. By reverse engineering the DGA, it became possible to create near-time intelligence feeds used to monitor malicious networks and provide information required for network protection.
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksJohn Bambenek
Defensive security is a rat race. We detect new threats, we reverse engineer them and develop defenses while the bad guys just make new threats. We often just document a new threat and stop when the blog post is published. This talk will take it a step further on how to proactively disrupt threats and threat actors, not just from your organization but completely. As a case study, Operation Tovar and whatever else I take down between now and THOTCON will be used as examples of how this can be accomplished without a large legal team and without massive collateral damage (i.e. the No-IP incident). Tools will be demonstrated that are used for near-time surveillance of criminal networks.
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSJohn Bambenek
These are the slides of a talk by John Bambenek at THOTCON 0x5 in Chicago.
Imagine your first day at a client site and you spend your time figuring out what’s going on with the network. You query passive DNS to find tons of apparently VPN over DNS endpoints on your network. What starts as a simple incident investigation process sees the tables turned on those who used the protocol to hide their tracks. This talk will discuss reverse engineering VPN over DNS (vpnoverdns.com) and how weaknesses in using DNS tunneling makes it trivial to retroactively wiretap all communications over the protocol long after the fact.
Corporate Espionage without the Hassle of Committing FeloniesJohn Bambenek
Thotcon Presentation by John Bambenek on how some security solutions are leaking sensitive data to the internet making it easy to spy on individuals and companies without breaking any laws.
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseJohn Bambenek
Between limited resources and a lack of trained professionals on one hand and the increasing quantity and quality of attacks on the other, securing enterprises and responding to incidents has placed defenders on the losing end of a digital arms race. Even managing the amounts of threat data and open-source intelligence has become a challenge.
This talk will cover the possibilities and perils of integrating all the various sources of threat intelligence data to protect an organization. With all the various open-source and paid-source data, simply dumping it all into a firewall or DNS RPZ zone can be problematic. What to do about compromised websites or shared hosting environments? What about DGA domains that use full words and may collide with actual innocent websites? What about how to handle threat data that is lacking in context to make appropriate decisions on its validity and accuracy? This talk will present several case studies in how these problems can be tackled and how using multi-domain analysis can help reduce the risk and maximize the value of automated protection using these types of data.
THOTCON - The War over your DNS QueriesJohn Bambenek
Talk given at THOTCON on October 9, 2021 entitled the War over your DNS queries and what to do about it. Covers DNS security and privacy and the importance of running your own DNS resolver.
Talk given at PHDAYS V in Moscow, May 2015.
This talk will focus on a research into Domain Generation Algorithms used in several malware families. By reverse engineering the DGA, it became possible to create near-time intelligence feeds used to monitor malicious networks and provide information required for network protection.
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksJohn Bambenek
Defensive security is a rat race. We detect new threats, we reverse engineer them and develop defenses while the bad guys just make new threats. We often just document a new threat and stop when the blog post is published. This talk will take it a step further on how to proactively disrupt threats and threat actors, not just from your organization but completely. As a case study, Operation Tovar and whatever else I take down between now and THOTCON will be used as examples of how this can be accomplished without a large legal team and without massive collateral damage (i.e. the No-IP incident). Tools will be demonstrated that are used for near-time surveillance of criminal networks.
Thotcon 0x5 - Retroactive Wiretapping VPN over DNSJohn Bambenek
These are the slides of a talk by John Bambenek at THOTCON 0x5 in Chicago.
Imagine your first day at a client site and you spend your time figuring out what’s going on with the network. You query passive DNS to find tons of apparently VPN over DNS endpoints on your network. What starts as a simple incident investigation process sees the tables turned on those who used the protocol to hide their tracks. This talk will discuss reverse engineering VPN over DNS (vpnoverdns.com) and how weaknesses in using DNS tunneling makes it trivial to retroactively wiretap all communications over the protocol long after the fact.
Corporate Espionage without the Hassle of Committing FeloniesJohn Bambenek
Thotcon Presentation by John Bambenek on how some security solutions are leaking sensitive data to the internet making it easy to spy on individuals and companies without breaking any laws.
SANSFIRE18: War Stories on Using Automated Threat Intelligence for DefenseJohn Bambenek
Between limited resources and a lack of trained professionals on one hand and the increasing quantity and quality of attacks on the other, securing enterprises and responding to incidents has placed defenders on the losing end of a digital arms race. Even managing the amounts of threat data and open-source intelligence has become a challenge.
This talk will cover the possibilities and perils of integrating all the various sources of threat intelligence data to protect an organization. With all the various open-source and paid-source data, simply dumping it all into a firewall or DNS RPZ zone can be problematic. What to do about compromised websites or shared hosting environments? What about DGA domains that use full words and may collide with actual innocent websites? What about how to handle threat data that is lacking in context to make appropriate decisions on its validity and accuracy? This talk will present several case studies in how these problems can be tackled and how using multi-domain analysis can help reduce the risk and maximize the value of automated protection using these types of data.
THOTCON - The War over your DNS QueriesJohn Bambenek
Talk given at THOTCON on October 9, 2021 entitled the War over your DNS queries and what to do about it. Covers DNS security and privacy and the importance of running your own DNS resolver.
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersJohn Bambenek
While we have many products and tools to protect enterprises and government networks, we are not using those same tools to protect consumers who cannot afford products and services by security companies. This talk will focus on the building of a RPZ service that can use already existing threat intelligence feeds that are freely accessible to protect consumers against threats we already know about.
Over the past year, Intel Security has actively participated with global law enforcement agencies in take-down operations to shut down cybercrime infrastructure, associated malware and the cybercriminals themselves. This session will deconstruct emerging attack campaigns and techniques, examine pragmatic defense strategies and discuss what to expect in the future.
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
Speakers: Ashley Shen, Steve Su
This is a threat hunting and campaign tracking 101 workshop Ashley Shen (Google) and Steve (FireEye) prepared for the HITCON 2020 CTI Village. In this presentation we share the threat hunting concept with some basic techniques and explain the process and guidance for campaign tracking. The presentation was only 65 mins so we couldn't covered everything. However through this talk we hope to share our experience and insight to the beginners.
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
BSides Las Vegas 2016 Talk: Powershell-fu: Hunting on the Endpoint. Presented the PSHunt framework (which will be released on Github) and methodology for hunting on the endpoint using Powershell across an enterprise or on an individual system.
Exploit kits are a critical piece of the malware delivery infrastructure, delivering banking trojans, click fraud engines and ransomware. This small talk will be designed to aid collaboration on a means to tackle these threats with a long-term goal of eventual prosecution of the actors and partners behind exploit kits and their associated malware campaigns. We will discuss the latest research into the backend infrastructure and surveillance techniques of the Nuclear, RIG and Angler exploit kits, to enable all participants to learn what others are doing to stay ahead of them.
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
Cloud hosting providers, such as Amazon AWS, Google Cloud, DigitalOcean, Microsoft Azure, and many others, have to respond to a regular barrage of abuse complaint reports from all around the world when their customers virtual private servers are used for malicious activity. This activity can happen knowingly by the "renter" of the system or on behalf of an attacker if the server becomes infected. Although by no means the end all, one way of measuring the trust posture of a cloud hosting provider is by analyzing the amount of time between shared hosts beginning to attack other hosts on the Internet and the activity ceasing, generally by way of forced-decommissioning, quarantining, or remediation of the root-cause, such as a malware infection. In this talk, we discuss using the data collected by GreyNoise, a large network of passive collector nodes, to measure the time-to-remediation of infected or malicious machines. We will discuss methodology, results, and actionable takeaways for conference attendees who use shared cloud hosting in their businesses.
Defending Against 1,000,000 Cyber Attacks by Michael BanksEC-Council
Every time you look around some company or government organization is spouting out some huge number of “cyber-attacks” to their network every day. By no means is it easy, but could it be that there is a little exaggeration of the actuality of the encounters? There is surely a misconception in reporting and the understanding of the attack itself and how organizations account for them. There are “attacks” like port scanning and brute force attempting all across the internet and all hours of the day. Spreading awareness about them will inform the public on just how “intense” these attacks are. To demonstrate this, I bought a nice attractive domain and coupled it with a honey-pot and let the fun begin.
Delivered 1 - day Practical Threat Hunting workshop at sacon.io in Bangalore,India balancing on developing the threat hunting program in organization, how and where to start from as well threat hunting demos as it would look on the ground with hands on labs for 100+ participants.
There has been a Ransomware explosion the last 6 years and there have been very little done to stop infections aside from deprecated signature scans and classic malware scanner. Weston will go over a couple proof of concepts that work on even the most current versions of the malware stop from fully infecting the machines that would otherwise be infected with malware that demands 1000s of dollars in some instances. Weston will go over several methods of making your system immune to attacks from ransomware many of them were discovered from actually reverse engineering the malware early this year. Weston will also go over several open source tools to test your environments impact from malware such as Cryptowall and several tools both software and hardware that can protect your systems from malware infecting even methods of abusing the payment gateway system to allow you to get more than one file unlocked for free and Weston will also go into the research about breaking the encryption based on the outputted encrypted files.
This session will provide insight into highly disruptive breaches that MANDIANT investigated over the past year. It describes how threat actors have destroyed system infrastructure and taken companies offline for weeks. The threat actors are split into two categories for this talk and focused on the SHAMOON cases. I will also talk about highlights from Incident Response cases of 2017. Financially motivated vs Non Financially motivated. I will talk about how recent attacks with SHAMOON differ - their motives compared to financially motivated threat actors. Highlights from a couple of 2017 IRs - Overview of TTPs of the important State Sponsored Attacks seen in 2017.
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
Today there is a dispute over the ethics of operations involving honeypots and honeynets in cyber security. However, many organizations will adopt the use of such techniques and tools to develop defensive strategies to stop attackers. For professional offensive security practitioners, detecting, bypassing, and even avoiding honeypots is a new challenge and much is to be discovered and shared. This brief will work to accomplish these objectives and begin the development of a new framework for Counter Honeypot Operations (CHOps).
HITCON 2017: Building a Public RPZ Service to Protect the World's ConsumersJohn Bambenek
While we have many products and tools to protect enterprises and government networks, we are not using those same tools to protect consumers who cannot afford products and services by security companies. This talk will focus on the building of a RPZ service that can use already existing threat intelligence feeds that are freely accessible to protect consumers against threats we already know about.
Over the past year, Intel Security has actively participated with global law enforcement agencies in take-down operations to shut down cybercrime infrastructure, associated malware and the cybercriminals themselves. This session will deconstruct emerging attack campaigns and techniques, examine pragmatic defense strategies and discuss what to expect in the future.
[HITCON 2020 CTI Village] Threat Hunting and Campaign Tracking Workshop.pptxChi En (Ashley) Shen
Speakers: Ashley Shen, Steve Su
This is a threat hunting and campaign tracking 101 workshop Ashley Shen (Google) and Steve (FireEye) prepared for the HITCON 2020 CTI Village. In this presentation we share the threat hunting concept with some basic techniques and explain the process and guidance for campaign tracking. The presentation was only 65 mins so we couldn't covered everything. However through this talk we hope to share our experience and insight to the beginners.
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzChristopher Gerritz
BSides Las Vegas 2016 Talk: Powershell-fu: Hunting on the Endpoint. Presented the PSHunt framework (which will be released on Github) and methodology for hunting on the endpoint using Powershell across an enterprise or on an individual system.
Exploit kits are a critical piece of the malware delivery infrastructure, delivering banking trojans, click fraud engines and ransomware. This small talk will be designed to aid collaboration on a means to tackle these threats with a long-term goal of eventual prosecution of the actors and partners behind exploit kits and their associated malware campaigns. We will discuss the latest research into the backend infrastructure and surveillance techniques of the Nuclear, RIG and Angler exploit kits, to enable all participants to learn what others are doing to stay ahead of them.
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsAndrew Morris
Cloud hosting providers, such as Amazon AWS, Google Cloud, DigitalOcean, Microsoft Azure, and many others, have to respond to a regular barrage of abuse complaint reports from all around the world when their customers virtual private servers are used for malicious activity. This activity can happen knowingly by the "renter" of the system or on behalf of an attacker if the server becomes infected. Although by no means the end all, one way of measuring the trust posture of a cloud hosting provider is by analyzing the amount of time between shared hosts beginning to attack other hosts on the Internet and the activity ceasing, generally by way of forced-decommissioning, quarantining, or remediation of the root-cause, such as a malware infection. In this talk, we discuss using the data collected by GreyNoise, a large network of passive collector nodes, to measure the time-to-remediation of infected or malicious machines. We will discuss methodology, results, and actionable takeaways for conference attendees who use shared cloud hosting in their businesses.
Defending Against 1,000,000 Cyber Attacks by Michael BanksEC-Council
Every time you look around some company or government organization is spouting out some huge number of “cyber-attacks” to their network every day. By no means is it easy, but could it be that there is a little exaggeration of the actuality of the encounters? There is surely a misconception in reporting and the understanding of the attack itself and how organizations account for them. There are “attacks” like port scanning and brute force attempting all across the internet and all hours of the day. Spreading awareness about them will inform the public on just how “intense” these attacks are. To demonstrate this, I bought a nice attractive domain and coupled it with a honey-pot and let the fun begin.
Delivered 1 - day Practical Threat Hunting workshop at sacon.io in Bangalore,India balancing on developing the threat hunting program in organization, how and where to start from as well threat hunting demos as it would look on the ground with hands on labs for 100+ participants.
There has been a Ransomware explosion the last 6 years and there have been very little done to stop infections aside from deprecated signature scans and classic malware scanner. Weston will go over a couple proof of concepts that work on even the most current versions of the malware stop from fully infecting the machines that would otherwise be infected with malware that demands 1000s of dollars in some instances. Weston will go over several methods of making your system immune to attacks from ransomware many of them were discovered from actually reverse engineering the malware early this year. Weston will also go over several open source tools to test your environments impact from malware such as Cryptowall and several tools both software and hardware that can protect your systems from malware infecting even methods of abusing the payment gateway system to allow you to get more than one file unlocked for free and Weston will also go into the research about breaking the encryption based on the outputted encrypted files.
This session will provide insight into highly disruptive breaches that MANDIANT investigated over the past year. It describes how threat actors have destroyed system infrastructure and taken companies offline for weeks. The threat actors are split into two categories for this talk and focused on the SHAMOON cases. I will also talk about highlights from Incident Response cases of 2017. Financially motivated vs Non Financially motivated. I will talk about how recent attacks with SHAMOON differ - their motives compared to financially motivated threat actors. Highlights from a couple of 2017 IRs - Overview of TTPs of the important State Sponsored Attacks seen in 2017.
Finding the Sweet Spot: Counter Honeypot Operations (CHOps) by Jonathan Creek...EC-Council
Today there is a dispute over the ethics of operations involving honeypots and honeynets in cyber security. However, many organizations will adopt the use of such techniques and tools to develop defensive strategies to stop attackers. For professional offensive security practitioners, detecting, bypassing, and even avoiding honeypots is a new challenge and much is to be discovered and shared. This brief will work to accomplish these objectives and begin the development of a new framework for Counter Honeypot Operations (CHOps).
This talk focussed on the challenges facing the DevOps community from the “developers culture perspective” and the consequences of the perceived disinterest in inculcating a complete 360 degrees’ risk mitigation framework in DevOps practices.
The talk touched on the legal +Security+Operational Risk of using Open Source in their SDLC, the need for internal customized Open Source policy and a two-step approach to resolve these risks
Presented on April 14, 2018 at CarolinaCon (https://www.carolinacon.org). This talk will provide a quick overview honeypots, an explanation of the cyber deception space, and the benefits of implementing deception as part of your cyber defense program. In addition, this talk will highlight the HoneyDB project, which enables anyone to get started with operating deception sensors and start collecting threat information. Finally, this presentation will describe how I built scalable honeypot sensor collection, employing a "Frankenstein Cloud Architecture", for minimal cost.
DApps_ Security Issues, Hacks, and Preventive Measures.pptxCyphersheild.tech
Avail our efficient dApp audit service for your next project. It can help you secure your dApp from hacks. Our security audit for dApps also includes checks for gas efficiency. Hire us now!
Network security monitoring elastic webinar - 16 june 2021Mouaz Alnouri
The difference between successfully defending an attack or failing to compromise is your ability to understand what’s happening in your network better than your adversary. Choosing the right network security monitoring (NSM) toolset is crucial to effectively monitor, detect, and respond to any potential threats in an organisation’s network.
In this webinar, we’ll uncover the best practices, trends, and challenges in network security monitoring (NSM) and how Elastic is being used as a core component to network security monitoring.
Highlights:
- What is network security monitoring (NSM)?
- Types of network data
- Common toolset
- Overcoming challenges with network security monitoring
- Using Machine Learning for network security monitoring
- Demo
Are you ready for the next attack? Reviewing the SP Security ChecklistAPNIC
Are you ready for the next attack? Reviewing the SP Security Checklist, by Barry Green.
A presentation given at the APNIC 40 Opening Ceremony and Keynotes session on Tue, 8 Sep 2015.
Are you ready for the next attack? reviewing the sp security checklist (apnic...Barry Greene
Rethinking Security and how you can Act on Meaningful Change
What the industry recommends to protect your network is NOT working! The industry is stuck in a dysfunctional ecosystem that encourages the cyber-criminal innovation at the cost to business and individual loss throughout the world. We do not need a “Manhattan Project” for the security of the Internet. What we need are tools to help operators throughout the world ask the right question that would lead them to meaningful action. Security empowerment must empower the grassroots and provide the tools to push back on the root cause. This talk will explore these issues, highlight the dysfunction in our “security” economy, and present “take home” tools that would facilitate immediate action.
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
Compiled some Open source and other tools that I that I have used for BEC/EAC protection, security, & training. I had a great time sitting on the panel with other members.
Presented on May 9, 2018 at SOURCE Conference Boston
(https://sourceconference.com/events/bos18/).
This version contains minor updates from previous presentations.
This talk will provide a quick overview honeypots, an explanation of the cyber deception space, and the benefits of implementing deception as part of your cyber defense program. In addition, this talk will highlight the HoneyDB project, which enables anyone to get started with operating deception sensors and start collecting threat information. Finally, this presentation will describe how I built scalable honeypot sensor collection, employing a "Frankenstein Cloud Architecture", for minimal cost.
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec
Experts from Symantec and MITRE explore the latest research and best practices for detecting targeted ransomware in your environment.
Watch on-demand webinar here: https://symc.ly/2L7ESFI.
I'm All Up in Your Blockchain - Hunting Down the NazisJohn Bambenek
In the wake of the white supremacist rally in Charlottesville, Virginia and the car attack in the aftermath, normal people wondered what is behind the resurgence of racial extremism. In looking at some of the figureheads of this movement, it was immediately apparent that several fund their operations with bitcoin with several holding thousands of dollars and a few holding millions (as of today's exchange rate). This talk will cover the research efforts into figuring out the adversaries behind the white supremacist movement, who is funding them, and the results of publishing their transactions on a live twitter feed at @neonaziwallets. We will show how they are getting their big money and what can be done to disrupt their activities. This talk will also cover an open-source twitter bot script that can monitor transactions to defined wallets and demonstrate how various exchanges leak information that allow visibility into other altcoins, particularly monero.
MISP Summit 2018: Barncat: Using MISP for Bulk Malware SurveillanceJohn Bambenek
This is a talk given at the MISP summit in Luxembourg on how the Barncat malware configuration uses MISP to share data and the interesting things you can do with a huge body of malware configurations.
SANSFIRE - Elections, Deceptions and Political BreachesJohn Bambenek
Its been the year of political breaches. While campaigns are odd entities, there are lessons enterprises can draw from what happened in 2016 to protect their organizations from attacks.
Blackhat USA 2014 - The New Scourge of RansomwareJohn Bambenek
In March of this year, a Romanian man killed himself and his 4-year old son because of a ransomware he received after visiting adult websites. This "police impersonation" malware instructed him to pay a massive fine or else go to jail for 11 years. Ransomware isn't a new threat; however, it introduced new life with CryptoLocker, the very first variant to perform encryption correctly, thussignificantly inhibiting security researchers and their typical countermeasures. Due to its unique nature, CryptoLocker is one of the few current malware campaigns that spawned its own working group focused around remediation. As time progressed, other ransomware copycat campaigns emerged, some of which got media attention even though they were nothing but vaporware.
This talk will focus on what the threat intelligence community did in response to this threat, including the development of near-time tracking of its infrastructure and what can be learned in order to manage new threats as they emerge.
IESBGA 2014 Cybercrime Seminar by John BambenekJohn Bambenek
This talk by John Bambenek, "What Small Businesses and Entrepreneurs Need to Know About Cybercrime" was given at IESBGA 2014 on May 30th, 2014 at Illinois State University.
Champaign EDC Cybersecurity Seminar by John Bambenek - March 25, 2014John Bambenek
Every day we hear more and more about credit cards getting stolen, businesses getting hacked and national secrets being pilfered from our government. In this seminar, you’ll learn:
- what threats small businesses need to be aware of
- what threats are hype
- how small businesses can protect themselves in a cost-effective way
- you’ll walk away with 5 things you can do in your small business to be more secure without having to buy a single piece of software
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
2. Intro
Sr. Threat Analyst for Fidelis Cybersecurity
Adjunct Faculty in CS Department at the
University of Illinois at Urbana-Champaign
Producer of open-source intel feeds
Work with companies and LE all over the
world to address growth in cybercrime
3. About Threat Intelligence
Information is a set of unprocessed data that may
or may not contain actionable intelligence.
Intelligence is the art of critically examining
information to draw meaningful and actionable
conclusions based on observations and
information.
Involves analyzing adversary capabilities,
intentions and motivations.
4. Adversarial objectives
Here we are generally talking about organized
crime, usually financially motivated.
What we know:
Highly rational actors
May hire “outside experts” for specific tasks
Generally technological sophisticated
Desire to remain “quiet” and resilient
5. My Objectives
Any good intelligence program needs to also
analyze your own objectives.
I investigate and try to disrupt criminal networks,
so my objective is externally focused.
These efforts are directed toward “criminal”
actors, nation-state / APT threats would require a
different focus.
Most people are defensively focused so their
information priorities are different.
6. Malware C2 Network Types
Static IP / Hostname Lists
Proxied C2s
Dynamic DNS
Fast Flux / Double Flux Networks
Domain Generation Algorithms
Tor / i2p hidden services
7. A History of Malware C2 Networks
An adversary wants to persist over the long-term
and make their networks more resilient against
enforcement actions.
Domains tend to be easier to take down the IPs
due to avoidance of jurisdictional issues.
Development over time will largely show
adversaries have acted in ways to ensure
increased resiliency.
We can continue to map forward over time
where they are likely to go in the future as a
result.
8. Use of Multiple Techniques
The most resilient malware C2 use multiple
methods of callback.
Static Lists
DGAs
Tor/I2P
If one or two are blocked, still able to control
machine.
To affect a takedown, need to block all means of
communication and updating victim machines.
9. Domain Generation Algorithms
Usually a complex math algorithm to create
pseudo-random but predictable domain names.
Now instead of a static list, you have a dynamic
list of hundreds or thousands of domains and
adversary only needs to have a couple registered
at a time.
Can search for “friendly” registrars to avoid
suspension.
10. Reverse Engineering DGAs
Many blog posts about reversing specific DGAs,
Johannes Bader has the most online at his blog:
Johannesbader.ch
No real shortcuts except working through
IDA/Debugger and reversing the function.
Look for functions that iterate many times.
There will be at least a function to generate the
domains and a function to connect to all of them to
find the C2.
As with all reverse engineering, be aware of
obfuscation and decoy code meant to deceive you.
12. Types of DGAs
Almost all DGAs use some time of “Seed”.
Types:
Date-based
Static seed
Dynamic seed
Seed has to be globally consistent so all
victims use the same one at the same time.
13. Other DGA Hardening Techniques
Choice of gTLD matters.
Some doing have WHOIS protection, make it hard
to sinkhole
Rotation of seeds
Some malware has rudimentary “sinkhole
awareness”
Adversarial objectives: Maintain control, limit
surveillance
14. Examples of select DGAs - Cryptolocker
Used 1000 domains a day across 7 gTLDs.
Order domains are queries in based on
GetTickCount()
Eerily similar to DGA described in Wikipedia
article on DGAs.
Used previously by Flashback OSX Worm.
Never changed during the life of the malware
campaign.
Successfully taken down in June 2014.
Special thanks to Vladimir Kropotov for his help
on this!
15. Examples of select DGAs - Cryptolocker
Intel conclusions:
Likely written by a third party.
Went days without a domain registered, actor
wanted to get paid but wasn’t overly concerned
about keeping everything going 24x7.
Tended not to shift registrar even after domains
were suspended.
Likely didn’t monitor his own domains because
the ratio of malicious to sinkholed domains was
about 1:125.
Way to go on the OPSEC good guys. D
16. Examples of select DGAs - Tinba
Generated 1,000 domains a day, not date-
seeded.
Seeded by an initial hostname and a defined
gTLD (one or more).
Changes seeds often and tends to update
already infected machines.
At least sinkholing tended to be ineffective for more than a
few days.
17. Examples of select DGAs - Tinba
Intelligence conclusions:
These guys care about their infrastructure.
Likely they are actively monitoring to see when their DGA is
cracked and adapting accordingly.
Likely they wrote DGA with this kind of flexibility in mind.
18. Examples of select DGAs - Bedep
Uses a dynamic seed – currency exchange
values for foreign currency
European Central Bank produces daily feeds of
the rates, this is used as source data.
Impossible to predict in advance even though
code to generate the domains is publicly
available.
http://asert.arbornetworks.com/bedeps-dga-trading-foreign-
exchange-for-malware-domains/
19. Examples of select DGAs - Bedep
To date, all successful takedowns (and for that
matter unsuccessful takedowns) seized malicious
DGA domains in advance while simultaneously
suspending current domains.
This would decapitate a botnet if and only if there
was no fallback mechanism to reach the C2 (i.e.
tor).
How can you do this for Bedep when you don’t
know future currency values?
Intelligence conclusion: this is obviously an intentional choice.
20. Examples of Select DGAs – Matsnu and Rovnix
Matsnu and Rovnix both use wordlists to generate domains that appear like they
would be “reasonable”. Rovnix uses the US Declaration of Independence.
Problem is that sometimes there is collisions with real domains.
teamroomthing.com,Domain used by matsnu DGA for 16 Aug 2015,2015-08-
16
transitionoccur.com,Domain used by matsnu DGA for 16 Aug 2015,2015-08-
16
windbearboxreceive.com,Domain used by matsnu DGA for 16 Aug
2015,2015-08-16
winner-care-sir.com,Domain used by matsnu DGA for 16 Aug 2015,2015-08-
16
theirtheandaloneinto.com, Domain used by Rovnix DGA
thathistoryformertrial.com, Domain used by Rovnix DGA
tothelayingthatarefor.com, Domain used by Rovnix DGA
definebritainhasforhe.com, Domain used by Rovnix DGA
tosecureonweestablishment.com, Domain used by Rovnix DGA
21. What the use of DGAs gives the good guys
Easy ability to sinkhole unused DGA domains
to gather additional intelligence.
Easier ability to do bulk takedowns.
*IF* you can predict domains in advance.
The ability to surveil malicious infrastructure
in near real-time.
22. What the use of DGAs gives the good guys
The use of DNS in malware severely limits the
ability of the adversary to play games.
They need the world to be able to find their
infrastructure in order to control victim
machines.
Even when DGA changes, the adversary
**tends** not to immediately change their
infrastructure too.
Allows for the use of passive DNS to see the
extent of DGA changes.
23. Sinkholing
Many security companies do this.
Many want to hide the fact they do this.
Most adversaries aren’t stupid enough to not
notice.
Remember, Cryptolocker we had 125 or so
sinkholed domain for every 1 malicious
domain.
24. Feed generation on DGAs
sjuemopwhollev.co.uk,Domain used by Cryptolocker - Flashback DGA for 13
Aug 2015,2015-08-13
meeeqyblgbussq.info,Domain used by Cryptolocker - Flashback DGA for 13
Aug 2015,2015-08-13
ntjqyqhqwcwost.com,Domain used by Cryptolocker - Flashback DGA for 13
Aug 2015,2015-08-13,
nvtvqpjmstuvju.net,Domain used by Cryptolocker - Flashback DGA for 13 Aug
2015,2015-08-13
olyiyhprjuwrsl.biz,Domain used by Cryptolocker - Flashback DGA for 13 Aug
2015,2015-08-13
sillomslltbgyu.ru,Domain used by Cryptolocker - Flashback DGA for 13 Aug
2015,2015-08-13
gmqjihgsfulcau.org,Domain used by Cryptolocker - Flashback DGA for 13 Aug
2015,2015-08-13,
From here you could easily feed this into RPZ or other
technology to protect your organization. But we want
more.
25. How to set up surveillance on a DGA
Easy to set up with shell scripting and a non-
t1.micro AWS instance.
Requires GNU parallel and adns-tools to
handle bulk DNS queries.
26. DGA surveillance
Pre-generate all domains 2 days before to 2 days
in future.
Pipe all those domains into adnshost using
parallel to limit the number of lines.
Able to process over 700,000 domains inside 10
minutes (and I’m not done optimizing).
parallel -j4 --max-lines=3500 --pipe adnshost -a -f < $list-of-
domains | fgrep -v nxdomain >> $outputfile
27. Tinba DGA feed example
bcldleeivfii.com,Domain used by tinba,2015-08-15 04:15
bfoxyvqtolmn.com,Domain used by tinba,2015-08-15 04:15
cniuybkgxelo.com,Domain used by tinba,2015-08-15 04:15
dgscodhlppkk.com,Domain used by tinba,2015-08-15 04:15
djnmllhgwtff.net,Domain used by tinba,2015-08-15 04:15
This is active not-known-sinkhole domains
current resolving.
28. A note on intelligence bias
How we look at threats and what we tend to
do with information will affect how we gather
intel and how we process it.
I tend to be involved in takedowns so I am
generally uninterested in sinkholes.
If you protect an organization, however, you
care about your client machines reaching out
to sinkholes because they are still infected.
29. Tinba IP list
5.230.193.215,IP used by tinba C&C,2015-08-15 04:15
54.72.9.51,IP used by tinba C&C,2015-08-15 04:15
95.163.121.201,IP used by tinba C&C,2015-08-15 04:15
104.27.169.12,IP used by tinba C&C,2015-08-15 04:15
104.28.13.180,IP used by tinba C&C,2015-08-15 04:15
Seems like a good list to firewall…
More on that in a moment.
30. Should also check NS info too
5.230.193.215,Nameserver IP used by tinba C&C,2015-08-15 04:21
5.45.69.31,Nameserver IP used by tinba C&C,2015-08-15 04:21
46.166.189.99,Nameserver IP used by tinba C&C,2015-08-15 04:21
50.7.230.28,Nameserver IP used by tinba C&C,2015-08-15 04:21
54.75.226.194,Nameserver IP used by tinba C&C,2015-08-15 04:21
31. Should also check NS info too
ns3.freedns.ws,Nameserver used by tinba C&C,2015-08-15 04:21
ns4.freedns.ws,Nameserver used by tinba C&C,2015-08-15 04:21
ns-canada.topdns.com,Nameserver used by tinba C&C,2015-08-15 04:21
ns-uk.topdns.com,Nameserver used by tinba C&C,2015-08-15 04:21
ns-usa.topdns.com,Nameserver used by tinba C&C,2015-08-15 04:21
With these two data points you can usually
quickly validate what is a sinkhole and what is
likely malicious and bears further investigation.
32. DGA Surveillance
Looking at those four data points you now
have solid information to make decisions
based on the data.
You could block domains/IPs.
You could block nameservers (some times).
33. Adversarial Response
Adversaries know we are doing this.
In response:
They change seeds frequently
They have non-DGA communication
mechanisms
They engage in counterintelligence
34. Counterintelligence
The tactics by which an adversary thwarts
attempts to gather information on itself.
Remember the domain and IP lists before?
What if an adversary registers domains that
they aren’t using?
35. Counterintelligence – or worse version
What if adversary knows you pump these IP lists directly into
your firewall (and I know people do this with my feeds)?
Anyone recognize these IP addresses? They are the DNS Root
Servers
198.41.0.4
192.228.79.201
192.33.4.12
199.7.91.13
192.203.230.10
192.5.5.241
192.112.36.4
128.63.2.53
192.36.148.17
192.58.128.30
193.0.14.129
199.7.83.42
202.12.27.33
36. Counterintelligence – or worse version
Taking action on information without analysis is
generally a bad idea, especially when the
information is under the complete control of the
adversary.
This is why intelligence analysis is so important.
(I whitelisted the root servers after I noticed an
adversary tried to do an attack similar to this.)
37. Whois Registrar Intel
Often actors may re-use registrant information
across different campaigns. There may be other
indicators too.
Sometimes *even with WHOIS privacy protection*
it may be possible to correlate domains and by
extension the actor.
Most criminal prosecution in cybercrime is due to
an OPSEC fail and the ability to map backwards in
time of what the actor did to find that fail that
exposes them.
38. Whois Info
• Many actors will use WHOIS protection… some just use fake
information.
• “David Bowers” is common for Bedep.
ubuntu$ grep "David Bowers" *.txt | grep Registrant
whois-bfzflqejohxmq.com.txt:Registrant Name: David Bowers
whois-demoqmfritwektsd.com.txt:Registrant Name: David Bowers
whois-eulletnyrxagvokz.com.txt:Registrant Name: David Bowers
whois-lepnzsiqowk94.com.txt:Registrant Name: David Bowers
whois-mhqfmrapcgphff4y.com.txt:Registrant Name: David Bowers
whois-natrhkylqoxjtqt45.com.txt:Registrant Name: David Bowers
whois-nrqagzfcsnneozu.com.txt:Registrant Name: David Bowers
whois-ofkjmtvsnmy1k.com.txt:Registrant Name: David Bowers
39. David Bowers
bfzflqejohxmq.com,Domain used by bedep (-4 days to today),2015-08-16
eulletnyrxagvokz.com,Domain used by bedep (-4 days to today),2015-08-16
natrhkylqoxjtqt45.com,Domain used by bedep (-4 days to today),2015-08-16
nrqagzfcsnneozu.com,Domain used by bedep (-4 days to today),2015-08-16
But why stop with just known DGAs, what other domains are associated with “David
Bowers”?
41. Surveillance is nice, what about notification?
Creation of feeds and intake is still a passive
tactic.
It is all possible to automate notifications
when key changes happen to allow for more
near-time actions.
This uses the Pushover application (Apple and
Google stores) which has a very simple API.
45. Pivoting
Now that I know the-fancastar.com and j-
manage.com serve NS for Matsnu, I can see what
else is served by those nameservers to find
additional intelligence.
As of 24 Aug, this has switched to nausoccer.net
and kanesth.com
Caution is due, this may not always yield results
and may yield false positives. Always correlate
with something else before making a final
judgement.
46. Pivoting
Using IP from Matsnu 31.210.120.103
hostkale.com. IN A 31.210.120.103
ns1.hostkale.com. IN A 31.210.120.103
ns2.hostkale.com. IN A 31.210.120.103
linuxtr.hostkale.com. IN A 31.210.120.103
mobiluzman.com. IN A 31.210.120.103
habertemasi.com. IN A 31.210.120.103
kinghackerz.com. IN A 31.210.120.103
eglencekeyfi.com. IN A 31.210.120.103
ns1.eglencekeyfi.com. IN A 31.210.120.103
nejdetkuafor.com. IN A 31.210.120.103
profitstring.com. IN A 31.210.120.103
sirketrehber.com. IN A 31.210.120.103
actstudy-meat.com. IN A 31.210.120.103
….
47. Last adversarial response
Starting to see sinkhole-aware malware.
Some malware always authenticated the C2,
but sinkholes still could gather intel.
Now malware is being written to attempt to
bypass sinkholes altogether.
48. The Future?
DGAs will be around for awhile as part of
several methods of communication to victim
machines.
Tor/I2P will continue to be used because of its
advantages but DGAs still needed due to ease
of blocking tor.
Increase in the use of “interesting” dynamic
seeds.
49. Questions?
Thanks Daniel Plohmann, April Lorenzen, Andrew
Abakumov, Anubis Networks, many others.
And thanks HITCON!
My feeds: osint.bambenekconsulting.com/feeds/
jcb@bambenekconsulting.com
www.bambenekconsulting.com
+1 312 425 7225