33. 33 CONFIDENTIAL
Requests
Per Day
70B Countries
160+
Daily Active
Users
65M Enterprise
Customers
10K
Our Perspective
Diverse Set of Data &
Global Internet Visibility
34. 34 CONFIDENTIAL
Our view of the Internetproviding visibility into global Internet activity (e.g. BGP, AS, DNS)
35. 35 CONFIDENTIAL
Apply
statistical models and
human intelligence
Identify
probable
malicious sites
Ingest
millions of data
points per second
How it works
.com
.cn
.ru
.net
.com
37. 37 CONFIDENTIAL
Single, correlated
source of information
Investigate
Types of threat information provided
WHOIS record data
ASN attribution
IP geolocation
IP reputation scores
Domain reputation scores
Domain co-occurrences
Anomaly detection (DGAs, FFNs)
DNS request patterns/geo. distribution
Passive DNS database
41. 41 CONFIDENTIAL
Predictive Intelligence
Plan Build Test / Iterate
• Where will we host the infrastructure?
• How will it be fault tolerant?
• What domain / IP / Networks will I utilize?
• How will the backend scale? Reporting? Uptime?
• Private and public announcement and advertising?
• Testing and iteration of the solution
51. 51 CONFIDENTIAL
Anomaly Detection: Identify DGAs
Domain Generation Algorithms: technique for generating
malware domains on-the-fly
yfrscsddkkdl.com
qgmcgoqeasgommee.org
iyyxtyxdeypk.com
diiqngijkpop.ru
Does the probability
distribution of letters
appear random?
N-gram” analysis
Do letter pairings
match normal
language patterns?
53. 53 CONFIDENTIAL
Conclusion
§ Do not give up on prevention and shift *all* resources to detection
§ Analyze your security posture for predictive elements
§ Utilize hunting and analytic tools to increase security efficacy
§ Explore security analytics to identify and map attacker infrastructure
before the kill chain