SlideShare ist ein Scribd-Unternehmen logo

DHPA Techday 2015 - Maciej Korczyński - Reputation Metrics Design to Improve Intermediary Incentives

Splend
Splend

Intermediaries such as registries, registrars, DNS providers and hosting providers are responsible for the security of domains. However, it can be hard to hold any one of them directly responsible for any domain. In this presentation, we analyze the interplay between these four actors. We also provide some evidence that the concentrations of maliciously registered and hacked domains are due to some attackers’ profit maximizing behaviors such as abusing free hosting and domain registration services, hacking more easily available targets like shared hosting, and hosting a few resilient name server.

Technologie
1 von 22
Downloaden Sie, um offline zu lesen
REMEDI3S-TLD: Reputation Metrics Design to Improve Intermediary Incentives for Security of TLDs A project in collaboration with SIDN and NCSC Maciej Korczy ski Delft University of Technology Contact: maciej.korczynski@tudelft.nl DHPA Techday 21 May 2015, The Hague
REMEDI3S-TLD
REMEDI3S-TLD
REMEDI3S-TLD
REMEDI3S-TLD
Agenda •  REMEDI3S-TLD •  Security incidents •  Types of security metrics •  Security metrics for TLDs •  Security metrics for hosting providers •  Practical application •  Summary
Security incidents •  Blacklists •  APWG •  Shadowserver (botnet C&C, Sandbox URLs, etc.) •  ESET, Sophos, Fortinet •  Google's Safe browsing appeals •  Malware Must Die •  Phishtank •  Zeus tracker •  Dutch child pornography hotline •  Etc. •  Farsight security (dns-db)
Types of security metrics •  Different layers of security metrics: •  Top Level Domains (TLDs) •  Market players related to the TLD (infrastructure providers): registrars, hosting providers, DNS service providers •  Network resources managed by each of the players, such as resolvers, name servers
Security metrics for TLDs •  Size estimate for different market players, e.g. TLDs •  Problem: access to zone files of all TLDs •  Solution: zone files, APWG reports, DNS-DB
•  Type of reputation metrics •  Problem: estimation of the amount of badness •  Solutions (TLDs): a)  Number of unique domains b)  Number of FQDN c)  Number of URLs Security metrics for TLDs
•  Type of reputation metrics •  Problem: up-times of maliciously registered/compromised domains •  Solutions: a)  DNS-based scanner b)  Content-based scanner Security metrics for TLDs
Results •  Estimation of the amount of badness for TLD •  Datasets: suitability, coverage
Results •  Estimation of the amount of badness
Results •  Estimation of the amount of badness
Results •  Estimation of the amount of badness
Security metrics for hosting providers 1.  Count badness per AS across different data sources 2.  Normalize for the size of the AS (in 3 ways) Abuse&Feeds& p*DNS&/&IP& Rou3ng& •  Shadow'Server'Compromise' •  Shadow'Server'Sandbox'URL' •  Zeustracker'C&Cs' •  MLAT'requests' •  APWG' •  StopBadware' •  …' ' #"Advertised"IPs" #"IPs"in"p/DNS" #"Domains"Hosted" Abuse&Mapping& Size&Mapping& •  Farsight'Security'pHDNS'Data' •  Internet'IP'RouLng'Data' ' #"Unique"Abuse"/"AS" Abuse&Maps& PhishTank' AS#1'!'"''100'' AS#2'!'"''200' MLAT' AS#1'!'"''50' AS#2'!'"''73' Size&Maps& AdverLsed'IPs' AS#1'!'"''256' AS#2'!'"''1024' 'Domains'Hosted' AS#1'!'"''23' AS#2'!'"''1232' Normaliza3on& Normalized& Abuse& PhishTank'/'Advrt.'IPs' AS#1'!'"''0.39' AS#2'!'"''0.19' PhishTank'/'Domains' Hosted' AS#1'!'"''4.34' AS#2'!'"''0.16' MLAT'/'Advrt.'IPs' AS#1'!'"''0.19' AS#2'!'"''0.07' MLAT'/'Domains'Hosted' AS#1'!'"''2.17' AS#2'!'"''0.05' •  #"Abuse"/"Size"
3.  Rank ASes on amount of badness 4.  Aggregate rankings (Borda count) 5.  Identify ASes with consistently high concentrations of badness Rank& Abuse&Ranking& PhishTank'Ranking'1' AS#1'!'"''834' AS#2'!'"''833' PhishTank'Ranking'2' AS#1'!'"''834' AS#2'!'"''833' MLAT'Ranking'1' AS#1'!'"''235' AS#2'!'"''234' MLAT'Ranking'2' AS#1'!'"''235' AS#2'!'"''234' Combine& Ranks& Sort"Rank"" High"!"Low" Borda"Count" Overall&Ranking& Borda'Count'Ranking' AS#1'!'"''2354' AS#2'!'"''1834' AS#3'!'"''1542' AS#4'!'"''1322' Normalized& Abuse& PhishTank'/'Advrt.'IPs' AS#1'!'"''0.39' AS#2'!'"''0.19' PhishTank'/'Domains' Hosted' AS#1'!'"''4.34' AS#2'!'"''0.16' MLAT'/'Advrt.'IPs' AS#1'!'"''0.19' AS#2'!'"''0.07' MLAT'/'Domains'Hosted' AS#1'!'"''2.17' AS#2'!'"''0.05' Security metrics for hosting providers
Practical application •  Incentive structures that drive the DNS ecosystem •  “Clean Netherlands”: Enhance self cleansing ability of the Dutch hosting market by •  promoting best practices and awareness •  pressuring the rotten apples
Summary •  REMEDI3S-TLD •  Security metrics for TLDs •  Security metrics for hosting providers •  Practical application
ACKNOWLEDGEMENTS The research leading to these results was funded by SIDN (www.sidn.nl)

Empfohlen

Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
EndgameInc
 
Basic ethical hacking and cyber security
Basic ethical hacking and cyber securityBasic ethical hacking and cyber security
Basic ethical hacking and cyber security
Faysal Ahmed
 
How to Protect Your Organization from the Ransomware Epidemic
How to Protect Your Organization from the Ransomware EpidemicHow to Protect Your Organization from the Ransomware Epidemic
How to Protect Your Organization from the Ransomware Epidemic
Tripwire
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Hunting before a Known Incident
Hunting before a Known IncidentHunting before a Known Incident
Hunting before a Known Incident
EndgameInc
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Danny Akacki
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil Refineries
Dragos, Inc.
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheap
Anjum Ahuja
 

Empfohlen

Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
EndgameInc
 
Basic ethical hacking and cyber security
Basic ethical hacking and cyber securityBasic ethical hacking and cyber security
Basic ethical hacking and cyber security
Faysal Ahmed
 
How to Protect Your Organization from the Ransomware Epidemic
How to Protect Your Organization from the Ransomware EpidemicHow to Protect Your Organization from the Ransomware Epidemic
How to Protect Your Organization from the Ransomware Epidemic
Tripwire
 
PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Hunting before a Known Incident
Hunting before a Known IncidentHunting before a Known Incident
Hunting before a Known Incident
EndgameInc
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Danny Akacki
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil Refineries
Dragos, Inc.
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheap
Anjum Ahuja
 
Billions & Billions of Logs
Billions & Billions of LogsBillions & Billions of Logs
Billions & Billions of Logs
Jack Crook
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
FaithWestdorp
 
Discover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiDiscover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy Li
Jeremy Li
 
Threat Intelligence Ops In-Depth at Massive Enterprise
Threat Intelligence Ops In-Depth at Massive EnterpriseThreat Intelligence Ops In-Depth at Massive Enterprise
Threat Intelligence Ops In-Depth at Massive Enterprise
Jeremy Li
 
TakeDownCon Rocket City: “White Hat Anonymity”: Current challenges security r...
TakeDownCon Rocket City: “White Hat Anonymity”: Current challenges security r...TakeDownCon Rocket City: “White Hat Anonymity”: Current challenges security r...
TakeDownCon Rocket City: “White Hat Anonymity”: Current challenges security r...
EC-Council
 
Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing
Rishabh Upadhyay
 
SplunkLive! London - Scoping Infections and Disrupting Breaches breakout
SplunkLive! London - Scoping Infections and Disrupting Breaches breakoutSplunkLive! London - Scoping Infections and Disrupting Breaches breakout
SplunkLive! London - Scoping Infections and Disrupting Breaches breakout
Splunk
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet Noise
Ashwini Almad
 
Talos
TalosTalos
Talos
Muhammad ilyas
 
Network Information And Security
Network Information And SecurityNetwork Information And Security
Network Information And Security
anandk10
 
Network Insight: How To Assess Findings - Tier 1 SOC Triage - Mark Gilbert ,T...
Network Insight: How To Assess Findings - Tier 1 SOC Triage - Mark Gilbert ,T...Network Insight: How To Assess Findings - Tier 1 SOC Triage - Mark Gilbert ,T...
Network Insight: How To Assess Findings - Tier 1 SOC Triage - Mark Gilbert ,T...
Core Security
 
The 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseThe 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypse
Christiaan Beek
 
Anatomy Of Hack
Anatomy Of HackAnatomy Of Hack
Anatomy Of Hack
Agnel Chittilappilly
 
Minimizing Dwell Time On Networks In IR With Tapio
Minimizing Dwell Time On Networks In IR With TapioMinimizing Dwell Time On Networks In IR With Tapio
Minimizing Dwell Time On Networks In IR With Tapio
Invincea, Inc.
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
InfoSec Addicts
 
Base Metal Forensics
Base Metal ForensicsBase Metal Forensics
Base Metal Forensics
Napier University
 
JAKU Botnet Analysis
JAKU Botnet AnalysisJAKU Botnet Analysis
JAKU Botnet Analysis
Napier University
 
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE - ATT&CKcon
 
2019 cou kolokotronis_nicholas - nicholas kolokotronis
2019 cou kolokotronis_nicholas - nicholas kolokotronis2019 cou kolokotronis_nicholas - nicholas kolokotronis
2019 cou kolokotronis_nicholas - nicholas kolokotronis
Liza Charalambous
 
Worst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedWorst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are Detected
Ashwini Almad
 
Cloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareCloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-ware
Tzar Umang
 
Attaining data security in cloud computing
Attaining data security in cloud computingAttaining data security in cloud computing
Attaining data security in cloud computing
Gopinath Muthusamy
 

Weitere ähnliche Inhalte

Was ist angesagt?

TakeDownCon Rocket City: “White Hat Anonymity”: Current challenges security r...
TakeDownCon Rocket City: “White Hat Anonymity”: Current challenges security r...TakeDownCon Rocket City: “White Hat Anonymity”: Current challenges security r...
TakeDownCon Rocket City: “White Hat Anonymity”: Current challenges security r...
EC-Council
 
Network Information And Security
Network Information And SecurityNetwork Information And Security
Network Information And Security
anandk10
 
Network Insight: How To Assess Findings - Tier 1 SOC Triage - Mark Gilbert ,T...
Network Insight: How To Assess Findings - Tier 1 SOC Triage - Mark Gilbert ,T...Network Insight: How To Assess Findings - Tier 1 SOC Triage - Mark Gilbert ,T...
Network Insight: How To Assess Findings - Tier 1 SOC Triage - Mark Gilbert ,T...
Core Security
 
2019 cou kolokotronis_nicholas - nicholas kolokotronis
2019 cou kolokotronis_nicholas - nicholas kolokotronis2019 cou kolokotronis_nicholas - nicholas kolokotronis
2019 cou kolokotronis_nicholas - nicholas kolokotronis
Liza Charalambous
 

Was ist angesagt? (20)

Billions & Billions of Logs
Billions & Billions of LogsBillions & Billions of Logs
Billions & Billions of Logs
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
 
Discover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy LiDiscover advanced threats with threat intelligence - Jeremy Li
Discover advanced threats with threat intelligence - Jeremy Li
 
Threat Intelligence Ops In-Depth at Massive Enterprise
Threat Intelligence Ops In-Depth at Massive EnterpriseThreat Intelligence Ops In-Depth at Massive Enterprise
Threat Intelligence Ops In-Depth at Massive Enterprise
 
TakeDownCon Rocket City: “White Hat Anonymity”: Current challenges security r...
TakeDownCon Rocket City: “White Hat Anonymity”: Current challenges security r...TakeDownCon Rocket City: “White Hat Anonymity”: Current challenges security r...
TakeDownCon Rocket City: “White Hat Anonymity”: Current challenges security r...
 
Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing Ethical Hacking and Penetration Testing
Ethical Hacking and Penetration Testing
 
SplunkLive! London - Scoping Infections and Disrupting Breaches breakout
SplunkLive! London - Scoping Infections and Disrupting Breaches breakoutSplunkLive! London - Scoping Infections and Disrupting Breaches breakout
SplunkLive! London - Scoping Infections and Disrupting Breaches breakout
 
Extracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet NoiseExtracting the Malware Signal from Internet Noise
Extracting the Malware Signal from Internet Noise
 
Talos
TalosTalos
Talos
 
Network Information And Security
Network Information And SecurityNetwork Information And Security
Network Information And Security
 
Network Insight: How To Assess Findings - Tier 1 SOC Triage - Mark Gilbert ,T...
Network Insight: How To Assess Findings - Tier 1 SOC Triage - Mark Gilbert ,T...Network Insight: How To Assess Findings - Tier 1 SOC Triage - Mark Gilbert ,T...
Network Insight: How To Assess Findings - Tier 1 SOC Triage - Mark Gilbert ,T...
 
The 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypseThe 4horsemen of ics secapocalypse
The 4horsemen of ics secapocalypse
 
Anatomy Of Hack
Anatomy Of HackAnatomy Of Hack
Anatomy Of Hack
 
Minimizing Dwell Time On Networks In IR With Tapio
Minimizing Dwell Time On Networks In IR With TapioMinimizing Dwell Time On Networks In IR With Tapio
Minimizing Dwell Time On Networks In IR With Tapio
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
 
Base Metal Forensics
Base Metal ForensicsBase Metal Forensics
Base Metal Forensics
 
JAKU Botnet Analysis
JAKU Botnet AnalysisJAKU Botnet Analysis
JAKU Botnet Analysis
 
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
MITRE ATT&CKcon 2018: Detection Philosophy, Evolution & ATT&CK, Fred Stankows...
 
2019 cou kolokotronis_nicholas - nicholas kolokotronis
2019 cou kolokotronis_nicholas - nicholas kolokotronis2019 cou kolokotronis_nicholas - nicholas kolokotronis
2019 cou kolokotronis_nicholas - nicholas kolokotronis
 
Worst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are DetectedWorst-Case Scenario: Being Detected without Knowing You are Detected
Worst-Case Scenario: Being Detected without Knowing You are Detected
 

Ähnlich wie DHPA Techday 2015 - Maciej Korczyński - Reputation Metrics Design to Improve Intermediary Incentives

Extending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSExtending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWS
Fidelis Cybersecurity
 
Next-Generation SIEM: Delivered from the Cloud
Next-Generation SIEM: Delivered from the Cloud Next-Generation SIEM: Delivered from the Cloud
Next-Generation SIEM: Delivered from the Cloud
Alert Logic
 
Secure and Privacy-Preserving Big-Data Processing
Secure and Privacy-Preserving Big-Data ProcessingSecure and Privacy-Preserving Big-Data Processing
Secure and Privacy-Preserving Big-Data Processing
Shantanu Sharma
 
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Andrew Morris
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Ruby Meditation
 

Ähnlich wie DHPA Techday 2015 - Maciej Korczyński - Reputation Metrics Design to Improve Intermediary Incentives (20)

Cloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareCloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-ware
 
Attaining data security in cloud computing
Attaining data security in cloud computingAttaining data security in cloud computing
Attaining data security in cloud computing
 
Extending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSExtending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWS
 
Malicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine LearningMalicious Client Detection Using Machine Learning
Malicious Client Detection Using Machine Learning
 
Malicious Client Detection using Machine learning
Malicious Client Detection using Machine learningMalicious Client Detection using Machine learning
Malicious Client Detection using Machine learning
 
Next-Generation SIEM: Delivered from the Cloud
Next-Generation SIEM: Delivered from the Cloud Next-Generation SIEM: Delivered from the Cloud
Next-Generation SIEM: Delivered from the Cloud
 
Secure and Privacy-Preserving Big-Data Processing
Secure and Privacy-Preserving Big-Data ProcessingSecure and Privacy-Preserving Big-Data Processing
Secure and Privacy-Preserving Big-Data Processing
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
SIEM.pdf
SIEM.pdfSIEM.pdf
SIEM.pdf
 
ION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSECION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSEC
 
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local London 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
 
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse TeamsUsing GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
Using GreyNoise to Quantify Response Time of Cloud Provider Abuse Teams
 
RISC-V 30946 manuel_offenberg_v3_notes
RISC-V 30946 manuel_offenberg_v3_notesRISC-V 30946 manuel_offenberg_v3_notes
RISC-V 30946 manuel_offenberg_v3_notes
 
Data trustworthiness at the edge
Data trustworthiness at the edgeData trustworthiness at the edge
Data trustworthiness at the edge
 
Offensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agendaOffensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agenda
 
Offensive cyber security engineer
Offensive cyber security engineerOffensive cyber security engineer
Offensive cyber security engineer
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updated
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
 
DNS Security, is it enough?
DNS Security, is it enough? DNS Security, is it enough?
DNS Security, is it enough?
 
1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale
 

Mehr von Splend

Mehr von Splend (20)

Fiber Vakdag 2019 - Gerben Roseboom - MapXact
Fiber Vakdag 2019 - Gerben Roseboom - MapXactFiber Vakdag 2019 - Gerben Roseboom - MapXact
Fiber Vakdag 2019 - Gerben Roseboom - MapXact
 
Fiber Vakdag 2019 - Lex Wils - FCA
Fiber Vakdag 2019 - Lex Wils - FCAFiber Vakdag 2019 - Lex Wils - FCA
Fiber Vakdag 2019 - Lex Wils - FCA
 
Martin Pels - NLNog ring
Martin Pels - NLNog ringMartin Pels - NLNog ring
Martin Pels - NLNog ring
 
Wido den Hollander - IPv6
Wido den Hollander - IPv6Wido den Hollander - IPv6
Wido den Hollander - IPv6
 
Pim van Stam - BGP
Pim van Stam - BGPPim van Stam - BGP
Pim van Stam - BGP
 
Bart Lageweg - Ansible/Cobbler
Bart Lageweg - Ansible/CobblerBart Lageweg - Ansible/Cobbler
Bart Lageweg - Ansible/Cobbler
 
6projects - Eyle Brinkhuis - SURFnet - Virtuele Netwerkfuncties
6projects - Eyle Brinkhuis - SURFnet - Virtuele Netwerkfuncties6projects - Eyle Brinkhuis - SURFnet - Virtuele Netwerkfuncties
6projects - Eyle Brinkhuis - SURFnet - Virtuele Netwerkfuncties
 
HSB15 - Dr. Michel van Eeten - TU Delft
HSB15 - Dr. Michel van Eeten - TU DelftHSB15 - Dr. Michel van Eeten - TU Delft
HSB15 - Dr. Michel van Eeten - TU Delft
 
HSB15 - Xander Jansen - SURFnet
HSB15 - Xander Jansen - SURFnetHSB15 - Xander Jansen - SURFnet
HSB15 - Xander Jansen - SURFnet
 
HSB15 - 0xDUDE
HSB15 - 0xDUDEHSB15 - 0xDUDE
HSB15 - 0xDUDE
 
HSB15 - Pavel Minarik - INVEATECH
HSB15 - Pavel Minarik - INVEATECHHSB15 - Pavel Minarik - INVEATECH
HSB15 - Pavel Minarik - INVEATECH
 
HSB15 - Aiko Pras - TU Twente
HSB15 - Aiko Pras - TU TwenteHSB15 - Aiko Pras - TU Twente
HSB15 - Aiko Pras - TU Twente
 
HSB15 - Lennert den Teuling - ISPConnect
HSB15 - Lennert den Teuling - ISPConnectHSB15 - Lennert den Teuling - ISPConnect
HSB15 - Lennert den Teuling - ISPConnect
 
HSB15 - Thijs Bosschert - Radically Open Security
HSB15 - Thijs Bosschert - Radically Open SecurityHSB15 - Thijs Bosschert - Radically Open Security
HSB15 - Thijs Bosschert - Radically Open Security
 
HSB15 - Richard Bosboom - HackerOne
HSB15 - Richard Bosboom - HackerOneHSB15 - Richard Bosboom - HackerOne
HSB15 - Richard Bosboom - HackerOne
 
DHPA Techday 2015 - Patrick Savalle - Are you out of your mind?
DHPA Techday 2015 - Patrick Savalle - Are you out of your mind?DHPA Techday 2015 - Patrick Savalle - Are you out of your mind?
DHPA Techday 2015 - Patrick Savalle - Are you out of your mind?
 
DHPA Techday 2015 - Patrick Savalle - Disruptive Technology
DHPA Techday 2015 - Patrick Savalle - Disruptive TechnologyDHPA Techday 2015 - Patrick Savalle - Disruptive Technology
DHPA Techday 2015 - Patrick Savalle - Disruptive Technology
 
DHPA Techday 2015 - Ger Apeldoorn - Deep dive into Puppet
DHPA Techday 2015 - Ger Apeldoorn - Deep dive into PuppetDHPA Techday 2015 - Ger Apeldoorn - Deep dive into Puppet
DHPA Techday 2015 - Ger Apeldoorn - Deep dive into Puppet
 
DHPA Techday 2015 - Johan Benning - HP Mobility
DHPA Techday 2015 - Johan Benning - HP MobilityDHPA Techday 2015 - Johan Benning - HP Mobility
DHPA Techday 2015 - Johan Benning - HP Mobility
 
DHPA Techday 2015 - Arjen Zonneveld - Jelte Jansen - DNSSEC College
DHPA Techday 2015 - Arjen Zonneveld - Jelte Jansen - DNSSEC CollegeDHPA Techday 2015 - Arjen Zonneveld - Jelte Jansen - DNSSEC College
DHPA Techday 2015 - Arjen Zonneveld - Jelte Jansen - DNSSEC College
 

Kürzlich hochgeladen

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Kürzlich hochgeladen (20)

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 

DHPA Techday 2015 - Maciej Korczyński - Reputation Metrics Design to Improve Intermediary Incentives

  • 1. REMEDI3S-TLD: Reputation Metrics Design to Improve Intermediary Incentives for Security of TLDs A project in collaboration with SIDN and NCSC Maciej Korczy ski Delft University of Technology Contact: maciej.korczynski@tudelft.nl DHPA Techday 21 May 2015, The Hague
  • 6. Agenda •  REMEDI3S-TLD •  Security incidents •  Types of security metrics •  Security metrics for TLDs •  Security metrics for hosting providers •  Practical application •  Summary
  • 7. Security incidents •  Blacklists •  APWG •  Shadowserver (botnet C&C, Sandbox URLs, etc.) •  ESET, Sophos, Fortinet •  Google's Safe browsing appeals •  Malware Must Die •  Phishtank •  Zeus tracker •  Dutch child pornography hotline •  Etc. •  Farsight security (dns-db)
  • 8. Types of security metrics •  Different layers of security metrics: •  Top Level Domains (TLDs) •  Market players related to the TLD (infrastructure providers): registrars, hosting providers, DNS service providers •  Network resources managed by each of the players, such as resolvers, name servers
  • 9. Security metrics for TLDs •  Size estimate for different market players, e.g. TLDs •  Problem: access to zone files of all TLDs •  Solution: zone files, APWG reports, DNS-DB
  • 10. •  Type of reputation metrics •  Problem: estimation of the amount of badness •  Solutions (TLDs): a)  Number of unique domains b)  Number of FQDN c)  Number of URLs Security metrics for TLDs
  • 11. •  Type of reputation metrics •  Problem: up-times of maliciously registered/compromised domains •  Solutions: a)  DNS-based scanner b)  Content-based scanner Security metrics for TLDs
  • 12. Results •  Estimation of the amount of badness for TLD •  Datasets: suitability, coverage
  • 13. Results •  Estimation of the amount of badness
  • 14. Results •  Estimation of the amount of badness
  • 15. Results •  Estimation of the amount of badness
  • 16. Security metrics for hosting providers 1.  Count badness per AS across different data sources 2.  Normalize for the size of the AS (in 3 ways) Abuse&Feeds& p*DNS&/&IP& Rou3ng& •  Shadow'Server'Compromise' •  Shadow'Server'Sandbox'URL' •  Zeustracker'C&Cs' •  MLAT'requests' •  APWG' •  StopBadware' •  …' ' #"Advertised"IPs" #"IPs"in"p/DNS" #"Domains"Hosted" Abuse&Mapping& Size&Mapping& •  Farsight'Security'pHDNS'Data' •  Internet'IP'RouLng'Data' ' #"Unique"Abuse"/"AS" Abuse&Maps& PhishTank' AS#1'!'"''100'' AS#2'!'"''200' MLAT' AS#1'!'"''50' AS#2'!'"''73' Size&Maps& AdverLsed'IPs' AS#1'!'"''256' AS#2'!'"''1024' 'Domains'Hosted' AS#1'!'"''23' AS#2'!'"''1232' Normaliza3on& Normalized& Abuse& PhishTank'/'Advrt.'IPs' AS#1'!'"''0.39' AS#2'!'"''0.19' PhishTank'/'Domains' Hosted' AS#1'!'"''4.34' AS#2'!'"''0.16' MLAT'/'Advrt.'IPs' AS#1'!'"''0.19' AS#2'!'"''0.07' MLAT'/'Domains'Hosted' AS#1'!'"''2.17' AS#2'!'"''0.05' •  #"Abuse"/"Size"
  • 17. 3.  Rank ASes on amount of badness 4.  Aggregate rankings (Borda count) 5.  Identify ASes with consistently high concentrations of badness Rank& Abuse&Ranking& PhishTank'Ranking'1' AS#1'!'"''834' AS#2'!'"''833' PhishTank'Ranking'2' AS#1'!'"''834' AS#2'!'"''833' MLAT'Ranking'1' AS#1'!'"''235' AS#2'!'"''234' MLAT'Ranking'2' AS#1'!'"''235' AS#2'!'"''234' Combine& Ranks& Sort"Rank"" High"!"Low" Borda"Count" Overall&Ranking& Borda'Count'Ranking' AS#1'!'"''2354' AS#2'!'"''1834' AS#3'!'"''1542' AS#4'!'"''1322' Normalized& Abuse& PhishTank'/'Advrt.'IPs' AS#1'!'"''0.39' AS#2'!'"''0.19' PhishTank'/'Domains' Hosted' AS#1'!'"''4.34' AS#2'!'"''0.16' MLAT'/'Advrt.'IPs' AS#1'!'"''0.19' AS#2'!'"''0.07' MLAT'/'Domains'Hosted' AS#1'!'"''2.17' AS#2'!'"''0.05' Security metrics for hosting providers
  • 18.
  • 19.
  • 20. Practical application •  Incentive structures that drive the DNS ecosystem •  “Clean Netherlands”: Enhance self cleansing ability of the Dutch hosting market by •  promoting best practices and awareness •  pressuring the rotten apples
  • 21. Summary •  REMEDI3S-TLD •  Security metrics for TLDs •  Security metrics for hosting providers •  Practical application
  • 22. ACKNOWLEDGEMENTS The research leading to these results was funded by SIDN (www.sidn.nl)