SlideShare ist ein Scribd-Unternehmen logo

Leveraging DNS to Surface Attacker Activity

Als PPTX, PDF herunterladen
Sqrrl
Sqrrl

In this training session, two leading security experts review how adversaries use DNS to achieve their mission, how to use DNS data as a starting point for launching an investigation, the data science behind automated detection of DNS-based malicious techniques and how DNS tunneling and DGA machine learning algorithms work. Watch the presentation with audio here: http://info.sqrrl.com/leveraging-dns-for-proactive-investigations

Software
1 von 35
Leveraging DNS to Surface Attacker Activity March 2017 • Josh Liburdi & Chris McCubbin
Presenters Chris McCubbin Sqrrl Director of Data Science Josh Liburdi Sqrrl Security Technologist
Agenda • Leveraging DNS data for investigations • DNS-based data science techniques • An example of Tunneling and DGA detection
Leveraging DNS Data for Investigations
What is DNS? Client needs to connect to: https://www.sqrrl.com Client's DNS server doesn't know where sqrrl.com is hosted, forwards query to upstream server Upstream DNS server knows sqrrl.com resolves to 104.196.225.76, returns response Client's DNS server caches response, sends response to client Client connects to https://www.sqrrl.com DNS Server https://sqrrl.com 2 3 5 DNS Server 1 4 1 2 3 4 5
How do attackers use DNS? • Attackers target DNS – DNS spoofing – DNS reflection • Attackers utilize DNS – Tunneling – Domain Generation Algorithms (DGA) – Dynamic DNS
Why is DNS data useful? Threat Detection Opportunity for attacker to leave traceable footprints in your network Incident Investigations Keep track of attacker access in your network
DNS Tunneling Overview • Data encoded inside of DNS queries is sent to an attacker-controlled server • Used for command and control, data exfiltration • Bypasses common security controls (firewalls, web proxies) Local Network Local DNS Resolver Intermediate DNS Resolver *.tunnel.com DNS Tunnel Server *.tunnel.com DNS Tunnel Client Remote Network
DNS Tunneling Overview Many queries required to transfer moderate amounts of data 1MB transfer would take ~5k domains Tunnels produce patterns paeqcigq.tunnel.com pafich3i.tunnel.com gxqwl0eaytioruga5.tunnel.com Queried DNS domains tend to be unique Assuming no repeats in data, each domain will contain unique labels
DGA Overview def generate_domain(year, month, day): domain = "" for i in range(16): year = ((year ^ 8 * year) >> 11) ^ ((year & 0xFFFFFFF0) << 17) month = ((month ^ 4 * month) >> 25) ^ 16 * (month & 0xFFFFFFF8) day = ((day ^ (day << 13)) >> 19) ^ ((day & 0xFFFFFFFE) << 12) domain += chr(((year ^ month ^ day) % 25) + 97) return domain Method of establishing a connection with a command and control server Used to protect / hide infrastructure and evade detection Avoids DNS domain blacklisting Malware generates DNS domains based on an algorithm and a seed Seed may be hardcoded or determined dynamically (e.g., current datetime) en.wikipedia.org/wiki/Domain_generation_algorithm# Example
DGA Overview Source: https://johannesbader.ch/2014/12/the-dga-of-newgoz/ DGAs produce patterns Visually appear “off” Human would interpret the domain as strange (pmwtrdsv.ru) or nonsensical (turnipboxsea.com) Malware may attempt to resolve many unregistered domains ci4u0c10b77f5opvn211n5poa3.comwiq yhl13dkep615aec27ue2t2t.net kguv3bd2hi317d9l8vdy4i6m.org xah67i2ayufesns8mh12h1kab.net 7m4oq6jngoka7zxtoq1taebe1.com
DGA Overview Malware Seed # Domains in wild Alureon Thread ID + milliseconds since boot 5/day Padcrypt Date 24/day or 72/day ProsLikeFan Date, hardcoded 100/day Qadars Date 200/day Qakbot Date 5000/day Sisron Date 4/day Source: https://johannesbader.ch/
DNS-Based Data Science Techniques
DNS Data Sources
DNS Tunnel Detection DNS Data Filter DNS Data Collation Features Classifier Risk Outliers
DNS Tunnel Detection DNS Data Filter DNS Data 0. 0.5 1. 1.5 2. 2.5 NumberofDNS requests Time 1 hour buckets IP + Destination → Domain Session IP + Destination → Domain Session IP + Destination → Domain Session IP + Destination → Domain Session Collation
• Number of queries • Number of subdomains • Average subdomain length • Average information content of subdomains Features DNS Tunnel Classification Features IP + Destination → Domain Session IP + Destination → Domain Session IP + Destination → Domain Session IP + Destination → Domain Session
• Number of queries • Number of subdomains • Average subdomain length • Average information content of subdomains Classifier Risk Outliers Features DNS Tunnel Classification
DNS Data Filter DNS Data DNS Tunnel Validation paeqcigq.tunnel.com pafich3i.tunnel.com gxqwl0eaytioruga5.tunnel.com IP + Destination → Domain Session IP + Destination → Domain Session IP + Destination → Domain Session IP + Destination → Domain Session Collation
Lessons Learned from testing on Sqrrl DNS data • There are several potential sources of false positives: – CDNs – Anti-virus software – Internal DNS traffic – Popular services (Spotify, Slack, …) • Many of these organize content under long, random-looking subdomain names • Whitelisting can remove some of these false positives • A hard cut requiring > K unique subdomains per user per hour helps significantly
Sqrrl traffic data feature plots 0 45 90 135 180 0 2250 4500 6750 9000 Number of Subdomains Phishing YouTube, Amazon AWS, CDNs, anti-virus, anti-spam sqrrl-lab.net slack-msgs.com AverageLength
Sqrrl traffic data feature plots 0. 0.25 0.5 0.75 1. 1.25 0 2250 4500 6750 9000 11250 Number of Subdomains 0. 0.25 0.5 0.75 1. 1.25 0 225 450 675 900 1125 Number of subdomains eclampsialemontree.net slack sqrrl-lab anti-virus Ad servers UniqueQueries UniqueQueries
eclampsialemontree.net • Queries to 284 unique subdomains with names like: – ykzcpj1j4ovv3nc1mcgg27ji7uzf4o, yhgir5h3ts3rppd3j3bph1se4rjqtj, – Pkbenvnzwo2jl2onldka17rv5uu2kd, – Kinkascic, – Kinkascie, – Kinkascig • Most queried just once, a few 2-4 times • Length always a multiple of 3, almost always 30 or 9 characters • Appears to be a malware site that attempts to inject invisible frames into ads
DNS DGA Detection DNS Data Filter DNS Data Collation Features Classifier Risk Outliers
DNS DGA Detection DNS Data Filter DNS Data Collation IP → Domain Session IP → Domain Session IP → Domain Session IP → Domain Session 0. 0.5 1. 1.5 2. 2.5 Requestssent Time DNS Session
DNS DGA Classification Features Features 0. 0.1 0.2 0.2 0.3 0 1 2 3 4 5 6 Day of the week Histogram for day of the week 0. 0.04 0.07 0.11 0.14 0.18 0 2 4 6 8 10 12 14 16 18 20 22 24 Hour of the day Histogram for hour of the day IP → Domain Session IP → Domain Session IP → Domain Session IP → Domain Session • Session duration • Number of unique NxDomains • Average information content of subdomains
DNS DGA Classification Classifier Risk Outliers Features 0. 0.1 0.2 0.2 0.3 0 1 2 3 4 5 6 Day of the week Histogram for day of the week 0. 0.04 0.07 0.11 0.14 0.18 0 2 4 6 8 10 12 14 16 18 20 22 24 Hour of the day Histogram for hour of the day • Session duration • Number of unique NxDomains • Average information content of subdomains
DNS DGA Validation DNS Data Filter DNS Data ci4u0c10b77f5opvn211n5poa3.com wiqyhl13dkep615aec27ue2t2t.net mkguv3bd2hi317d9l8vdy4i6m.org 1xah67i2ayufesns8mh12h1kab.net 17m4oq6jngoka7zxtoq1taebe1.com Collation IP → Domain Session IP → Domain Session IP → Domain Session IP → Domain Session
Combined DGA Risk Score -400 -200 0 200 400 600 800 1000 1200 1400 1600 1800 -400 -200 0 200 400 600 800 1000 1200 1400 1600 1800 CombinedRank Index Combined Rank Separation • Normal • DGA
Example Tunneling and DGA Detection
DNS Tunnel
DGA
Graph Investigation
info.sqrrl.com/download-ueba-ebook User & Entity Behavior Analytics What's included in this • What you need to know about advanced behavioral analytics • How it can automate and revolutionize threat hunting • How to use it for streamlined threat detection practices The Heart of Next-Generation Threat Hunting
Questions

Empfohlen

What's Next for Google's BigTable
What's Next for Google's BigTableWhat's Next for Google's BigTable
What's Next for Google's BigTableSqrrl
 
Performance Models for Apache Accumulo
Performance Models for Apache AccumuloPerformance Models for Apache Accumulo
Performance Models for Apache AccumuloSqrrl
 
Threat Hunting for Command and Control Activity
Threat Hunting for Command and Control ActivityThreat Hunting for Command and Control Activity
Threat Hunting for Command and Control ActivitySqrrl
 
Splunking configfiles 20211208_daniel_wilson
Splunking configfiles 20211208_daniel_wilsonSplunking configfiles 20211208_daniel_wilson
Splunking configfiles 20211208_daniel_wilsonBecky Burwell
 
Big Data for Security - DNS Analytics
Big Data for Security - DNS AnalyticsBig Data for Security - DNS Analytics
Big Data for Security - DNS AnalyticsMarco Casassa Mont
 
Analyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-timeAnalyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-timeDataWorks Summit
 
Detecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDetecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDataWorks Summit
 
Sqrrl February Webinar: Breaking Down Data Silos
Sqrrl February Webinar: Breaking Down Data SilosSqrrl February Webinar: Breaking Down Data Silos
Sqrrl February Webinar: Breaking Down Data SilosSqrrl
 

Empfohlen

What's Next for Google's BigTable
What's Next for Google's BigTableWhat's Next for Google's BigTable
What's Next for Google's BigTableSqrrl
 
Performance Models for Apache Accumulo
Performance Models for Apache AccumuloPerformance Models for Apache Accumulo
Performance Models for Apache AccumuloSqrrl
 
Threat Hunting for Command and Control Activity
Threat Hunting for Command and Control ActivityThreat Hunting for Command and Control Activity
Threat Hunting for Command and Control ActivitySqrrl
 
Splunking configfiles 20211208_daniel_wilson
Splunking configfiles 20211208_daniel_wilsonSplunking configfiles 20211208_daniel_wilson
Splunking configfiles 20211208_daniel_wilsonBecky Burwell
 
Big Data for Security - DNS Analytics
Big Data for Security - DNS AnalyticsBig Data for Security - DNS Analytics
Big Data for Security - DNS AnalyticsMarco Casassa Mont
 
Analyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-timeAnalyzing 1.2 Million Network Packets per Second in Real-time
Analyzing 1.2 Million Network Packets per Second in Real-timeDataWorks Summit
 
Detecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDetecting Hacks: Anomaly Detection on Networking Data
Detecting Hacks: Anomaly Detection on Networking DataDataWorks Summit
 
Sqrrl February Webinar: Breaking Down Data Silos
Sqrrl February Webinar: Breaking Down Data SilosSqrrl February Webinar: Breaking Down Data Silos
Sqrrl February Webinar: Breaking Down Data SilosSqrrl
 
Performing Network & Security Analytics with Hadoop
Performing Network & Security Analytics with HadoopPerforming Network & Security Analytics with Hadoop
Performing Network & Security Analytics with HadoopDataWorks Summit
 
Keep your Hadoop cluster at its best!
Keep your Hadoop cluster at its best!Keep your Hadoop cluster at its best!
Keep your Hadoop cluster at its best!Sheetal Dolas
 
Redis Day TLV 2018 - 10 Reasons why Redis should be your Primary Database
Redis Day TLV 2018 - 10 Reasons why Redis should be your Primary DatabaseRedis Day TLV 2018 - 10 Reasons why Redis should be your Primary Database
Redis Day TLV 2018 - 10 Reasons why Redis should be your Primary DatabaseRedis Labs
 
Beyond Kerberos and Ranger - Tips to discover, track and manage risks in hybr...
Beyond Kerberos and Ranger - Tips to discover, track and manage risks in hybr...Beyond Kerberos and Ranger - Tips to discover, track and manage risks in hybr...
Beyond Kerberos and Ranger - Tips to discover, track and manage risks in hybr...DataWorks Summit
 
Sqrrl June Webinar: An Accumulo Love Story
Sqrrl June Webinar: An Accumulo Love StorySqrrl June Webinar: An Accumulo Love Story
Sqrrl June Webinar: An Accumulo Love StorySqrrl
 
Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...
Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...
Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...DataWorks Summit
 
Hadoop / Spark on Malware Expression
Hadoop / Spark on Malware ExpressionHadoop / Spark on Malware Expression
Hadoop / Spark on Malware ExpressionMapR Technologies
 
Deep Learning in Security—An Empirical Example in User and Entity Behavior An...
Deep Learning in Security—An Empirical Example in User and Entity Behavior An...Deep Learning in Security—An Empirical Example in User and Entity Behavior An...
Deep Learning in Security—An Empirical Example in User and Entity Behavior An...Databricks
 
Cassandra Summit 2014: Apache Cassandra at Telefonica CBS
Cassandra Summit 2014: Apache Cassandra at Telefonica CBSCassandra Summit 2014: Apache Cassandra at Telefonica CBS
Cassandra Summit 2014: Apache Cassandra at Telefonica CBSDataStax Academy
 
Apache Spot
Apache SpotApache Spot
Apache SpotAustin Leahy
 
Redis Day TLV 2018 - Spring Session Redis
Redis Day TLV 2018 - Spring Session RedisRedis Day TLV 2018 - Spring Session Redis
Redis Day TLV 2018 - Spring Session RedisRedis Labs
 
Druid in Spot Instances
Druid in Spot InstancesDruid in Spot Instances
Druid in Spot InstancesImply
 
Druid @ branch
Druid @ branch Druid @ branch
Druid @ branch Biswajit Das
 
Real time big data applications with hadoop ecosystem
Real time big data applications with hadoop ecosystemReal time big data applications with hadoop ecosystem
Real time big data applications with hadoop ecosystemChris Huang
 
Design Patterns For Real Time Streaming Data Analytics
Design Patterns For Real Time Streaming Data AnalyticsDesign Patterns For Real Time Streaming Data Analytics
Design Patterns For Real Time Streaming Data AnalyticsDataWorks Summit
 
Redis for Fast Data Ingest
Redis for Fast Data IngestRedis for Fast Data Ingest
Redis for Fast Data IngestRedis Labs
 
Scaling big-data-mining-infra2
Scaling big-data-mining-infra2Scaling big-data-mining-infra2
Scaling big-data-mining-infra2Chris Huang
 
44CON 2014: Using hadoop for malware, network, forensics and log analysis
44CON 2014: Using hadoop for malware, network, forensics and log analysis44CON 2014: Using hadoop for malware, network, forensics and log analysis
44CON 2014: Using hadoop for malware, network, forensics and log analysisMichael Boman
 
DAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization LinuxDAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization LinuxRaffael Marty
 
Approaching real-time-hadoop
Approaching real-time-hadoopApproaching real-time-hadoop
Approaching real-time-hadoopChris Huang
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS SecurityThousandEyes
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4DNS Entrepreneurship Center
 

Weitere ähnliche Inhalte

Was ist angesagt?

Performing Network & Security Analytics with Hadoop
Performing Network & Security Analytics with HadoopPerforming Network & Security Analytics with Hadoop
Performing Network & Security Analytics with HadoopDataWorks Summit
 
Keep your Hadoop cluster at its best!
Keep your Hadoop cluster at its best!Keep your Hadoop cluster at its best!
Keep your Hadoop cluster at its best!Sheetal Dolas
 
Redis Day TLV 2018 - 10 Reasons why Redis should be your Primary Database
Redis Day TLV 2018 - 10 Reasons why Redis should be your Primary DatabaseRedis Day TLV 2018 - 10 Reasons why Redis should be your Primary Database
Redis Day TLV 2018 - 10 Reasons why Redis should be your Primary DatabaseRedis Labs
 
Beyond Kerberos and Ranger - Tips to discover, track and manage risks in hybr...
Beyond Kerberos and Ranger - Tips to discover, track and manage risks in hybr...Beyond Kerberos and Ranger - Tips to discover, track and manage risks in hybr...
Beyond Kerberos and Ranger - Tips to discover, track and manage risks in hybr...DataWorks Summit
 
Sqrrl June Webinar: An Accumulo Love Story
Sqrrl June Webinar: An Accumulo Love StorySqrrl June Webinar: An Accumulo Love Story
Sqrrl June Webinar: An Accumulo Love StorySqrrl
 
Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...
Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...
Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...DataWorks Summit
 
Hadoop / Spark on Malware Expression
Hadoop / Spark on Malware ExpressionHadoop / Spark on Malware Expression
Hadoop / Spark on Malware ExpressionMapR Technologies
 
Deep Learning in Security—An Empirical Example in User and Entity Behavior An...
Deep Learning in Security—An Empirical Example in User and Entity Behavior An...Deep Learning in Security—An Empirical Example in User and Entity Behavior An...
Deep Learning in Security—An Empirical Example in User and Entity Behavior An...Databricks
 
Cassandra Summit 2014: Apache Cassandra at Telefonica CBS
Cassandra Summit 2014: Apache Cassandra at Telefonica CBSCassandra Summit 2014: Apache Cassandra at Telefonica CBS
Cassandra Summit 2014: Apache Cassandra at Telefonica CBSDataStax Academy
 
Redis Day TLV 2018 - Spring Session Redis
Redis Day TLV 2018 - Spring Session RedisRedis Day TLV 2018 - Spring Session Redis
Redis Day TLV 2018 - Spring Session RedisRedis Labs
 
Druid in Spot Instances
Druid in Spot InstancesDruid in Spot Instances
Druid in Spot InstancesImply
 
Real time big data applications with hadoop ecosystem
Real time big data applications with hadoop ecosystemReal time big data applications with hadoop ecosystem
Real time big data applications with hadoop ecosystemChris Huang
 
Design Patterns For Real Time Streaming Data Analytics
Design Patterns For Real Time Streaming Data AnalyticsDesign Patterns For Real Time Streaming Data Analytics
Design Patterns For Real Time Streaming Data AnalyticsDataWorks Summit
 
Redis for Fast Data Ingest
Redis for Fast Data IngestRedis for Fast Data Ingest
Redis for Fast Data IngestRedis Labs
 
Scaling big-data-mining-infra2
Scaling big-data-mining-infra2Scaling big-data-mining-infra2
Scaling big-data-mining-infra2Chris Huang
 
44CON 2014: Using hadoop for malware, network, forensics and log analysis
44CON 2014: Using hadoop for malware, network, forensics and log analysis44CON 2014: Using hadoop for malware, network, forensics and log analysis
44CON 2014: Using hadoop for malware, network, forensics and log analysisMichael Boman
 
DAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization LinuxDAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization LinuxRaffael Marty
 
Approaching real-time-hadoop
Approaching real-time-hadoopApproaching real-time-hadoop
Approaching real-time-hadoopChris Huang
 

Was ist angesagt? (20)

Performing Network & Security Analytics with Hadoop
Performing Network & Security Analytics with HadoopPerforming Network & Security Analytics with Hadoop
Performing Network & Security Analytics with Hadoop
 
Keep your Hadoop cluster at its best!
Keep your Hadoop cluster at its best!Keep your Hadoop cluster at its best!
Keep your Hadoop cluster at its best!
 
Redis Day TLV 2018 - 10 Reasons why Redis should be your Primary Database
Redis Day TLV 2018 - 10 Reasons why Redis should be your Primary DatabaseRedis Day TLV 2018 - 10 Reasons why Redis should be your Primary Database
Redis Day TLV 2018 - 10 Reasons why Redis should be your Primary Database
 
Beyond Kerberos and Ranger - Tips to discover, track and manage risks in hybr...
Beyond Kerberos and Ranger - Tips to discover, track and manage risks in hybr...Beyond Kerberos and Ranger - Tips to discover, track and manage risks in hybr...
Beyond Kerberos and Ranger - Tips to discover, track and manage risks in hybr...
 
Sqrrl June Webinar: An Accumulo Love Story
Sqrrl June Webinar: An Accumulo Love StorySqrrl June Webinar: An Accumulo Love Story
Sqrrl June Webinar: An Accumulo Love Story
 
Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...
Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...
Deep Learning in Security - Examples, Infrastructure, Challenges, and Suggest...
 
Hadoop / Spark on Malware Expression
Hadoop / Spark on Malware ExpressionHadoop / Spark on Malware Expression
Hadoop / Spark on Malware Expression
 
Deep Learning in Security—An Empirical Example in User and Entity Behavior An...
Deep Learning in Security—An Empirical Example in User and Entity Behavior An...Deep Learning in Security—An Empirical Example in User and Entity Behavior An...
Deep Learning in Security—An Empirical Example in User and Entity Behavior An...
 
Cassandra Summit 2014: Apache Cassandra at Telefonica CBS
Cassandra Summit 2014: Apache Cassandra at Telefonica CBSCassandra Summit 2014: Apache Cassandra at Telefonica CBS
Cassandra Summit 2014: Apache Cassandra at Telefonica CBS
 
Apache Spot
Apache SpotApache Spot
Apache Spot
 
Redis Day TLV 2018 - Spring Session Redis
Redis Day TLV 2018 - Spring Session RedisRedis Day TLV 2018 - Spring Session Redis
Redis Day TLV 2018 - Spring Session Redis
 
Druid in Spot Instances
Druid in Spot InstancesDruid in Spot Instances
Druid in Spot Instances
 
Druid @ branch
Druid @ branch Druid @ branch
Druid @ branch
 
Real time big data applications with hadoop ecosystem
Real time big data applications with hadoop ecosystemReal time big data applications with hadoop ecosystem
Real time big data applications with hadoop ecosystem
 
Design Patterns For Real Time Streaming Data Analytics
Design Patterns For Real Time Streaming Data AnalyticsDesign Patterns For Real Time Streaming Data Analytics
Design Patterns For Real Time Streaming Data Analytics
 
Redis for Fast Data Ingest
Redis for Fast Data IngestRedis for Fast Data Ingest
Redis for Fast Data Ingest
 
Scaling big-data-mining-infra2
Scaling big-data-mining-infra2Scaling big-data-mining-infra2
Scaling big-data-mining-infra2
 
44CON 2014: Using hadoop for malware, network, forensics and log analysis
44CON 2014: Using hadoop for malware, network, forensics and log analysis44CON 2014: Using hadoop for malware, network, forensics and log analysis
44CON 2014: Using hadoop for malware, network, forensics and log analysis
 
DAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization LinuxDAVIX - Data Analysis and Visualization Linux
DAVIX - Data Analysis and Visualization Linux
 
Approaching real-time-hadoop
Approaching real-time-hadoopApproaching real-time-hadoop
Approaching real-time-hadoop
 

Ähnlich wie Leveraging DNS to Surface Attacker Activity

Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS SecurityThousandEyes
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]APNIC
 
DNS Survival Guide
DNS Survival GuideDNS Survival Guide
DNS Survival GuideAPNIC
 
DNS Survival Guide.
DNS Survival Guide.DNS Survival Guide.
DNS Survival Guide.Qrator Labs
 
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...JosephTesta9
 
Monitoring DNS Records and Servers
Monitoring DNS Records and ServersMonitoring DNS Records and Servers
Monitoring DNS Records and ServersThousandEyes
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...EC-Council
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...Felipe Prado
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheapAnjum Ahuja
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the CheapEndgameInc
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]APNIC
 
DNS Exfiltration and Out-of-bound attacks
DNS Exfiltration and Out-of-bound attacksDNS Exfiltration and Out-of-bound attacks
DNS Exfiltration and Out-of-bound attacksNitesh Shilpkar
 
DNS Security
DNS SecurityDNS Security
DNS Securityinbroker
 

Ähnlich wie Leveraging DNS to Surface Attacker Activity (20)

Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS Security
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4
 
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
DNSSEC Tutorial, by Champika Wijayatunga [APNIC 38]
 
DNS Survival Guide
DNS Survival GuideDNS Survival Guide
DNS Survival Guide
 
DNS Survival Guide.
DNS Survival Guide.DNS Survival Guide.
DNS Survival Guide.
 
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
BSides Rochester 2018: Chris Partridge: Turning Domain Data Into Domain Intel...
 
ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?ION Hangzhou - Why Deploy DNSSEC?
ION Hangzhou - Why Deploy DNSSEC?
 
Monitoring DNS Records and Servers
Monitoring DNS Records and ServersMonitoring DNS Records and Servers
Monitoring DNS Records and Servers
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
 
Defcon
DefconDefcon
Defcon
 
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
DEF CON 27 - GERALD DOUSSOT AND ROGER MEYER - state of dns rebinding attack ...
 
ION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSECION Islamabad - Deploying DNSSEC
ION Islamabad - Deploying DNSSEC
 
Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheap
 
Hunting on the Cheap
Hunting on the CheapHunting on the Cheap
Hunting on the Cheap
 
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
Understanding and Deploying DNSSEC, by Champika Wijayatunga [APRICOT 2015]
 
DNS Security
DNS SecurityDNS Security
DNS Security
 
DNS Exfiltration and Out-of-bound attacks
DNS Exfiltration and Out-of-bound attacksDNS Exfiltration and Out-of-bound attacks
DNS Exfiltration and Out-of-bound attacks
 
6421 b Module-03
6421 b Module-036421 b Module-03
6421 b Module-03
 
1 technical-dns-workshop-day1
1 technical-dns-workshop-day11 technical-dns-workshop-day1
1 technical-dns-workshop-day1
 
DNS Security
DNS SecurityDNS Security
DNS Security
 

Mehr von Sqrrl

Transitioning Government Technology
Transitioning Government TechnologyTransitioning Government Technology
Transitioning Government TechnologySqrrl
 
Leveraging Threat Intelligence to Guide Your Hunts
Leveraging Threat Intelligence to Guide Your HuntsLeveraging Threat Intelligence to Guide Your Hunts
Leveraging Threat Intelligence to Guide Your HuntsSqrrl
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Machine Learning for Incident Detection: Getting Started
Machine Learning for Incident Detection: Getting StartedMachine Learning for Incident Detection: Getting Started
Machine Learning for Incident Detection: Getting StartedSqrrl
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Sqrrl
 
User and Entity Behavior Analytics using the Sqrrl Behavior Graph
User and Entity Behavior Analytics using the Sqrrl Behavior GraphUser and Entity Behavior Analytics using the Sqrrl Behavior Graph
User and Entity Behavior Analytics using the Sqrrl Behavior GraphSqrrl
 
Threat Hunting Platforms (Collaboration with SANS Institute)
Threat Hunting Platforms (Collaboration with SANS Institute)Threat Hunting Platforms (Collaboration with SANS Institute)
Threat Hunting Platforms (Collaboration with SANS Institute)Sqrrl
 
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl
 
Modernizing Your SOC: A CISO-led Training
Modernizing Your SOC: A CISO-led TrainingModernizing Your SOC: A CISO-led Training
Modernizing Your SOC: A CISO-led TrainingSqrrl
 
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together Sqrrl
 
The Art and Science of Alert Triage
The Art and Science of Alert TriageThe Art and Science of Alert Triage
The Art and Science of Alert TriageSqrrl
 
Reducing Mean Time to Know
Reducing Mean Time to KnowReducing Mean Time to Know
Reducing Mean Time to KnowSqrrl
 
Sqrrl Enterprise: Big Data Security Analytics Use Case
Sqrrl Enterprise: Big Data Security Analytics Use CaseSqrrl Enterprise: Big Data Security Analytics Use Case
Sqrrl Enterprise: Big Data Security Analytics Use CaseSqrrl
 
The Linked Data Advantage
The Linked Data AdvantageThe Linked Data Advantage
The Linked Data AdvantageSqrrl
 
Sqrrl Enterprise: Integrate, Explore, Analyze
Sqrrl Enterprise: Integrate, Explore, AnalyzeSqrrl Enterprise: Integrate, Explore, Analyze
Sqrrl Enterprise: Integrate, Explore, AnalyzeSqrrl
 
Sqrrl Datasheet: Cyber Hunting
Sqrrl Datasheet: Cyber HuntingSqrrl Datasheet: Cyber Hunting
Sqrrl Datasheet: Cyber HuntingSqrrl
 
Benchmarking The Apache Accumulo Distributed Key–Value Store
Benchmarking The Apache Accumulo Distributed Key–Value StoreBenchmarking The Apache Accumulo Distributed Key–Value Store
Benchmarking The Apache Accumulo Distributed Key–Value StoreSqrrl
 
Scalable Graph Clustering with Pregel
Scalable Graph Clustering with PregelScalable Graph Clustering with Pregel
Scalable Graph Clustering with PregelSqrrl
 
April 2015 Webinar: Cyber Hunting with Sqrrl
April 2015 Webinar: Cyber Hunting with SqrrlApril 2015 Webinar: Cyber Hunting with Sqrrl
April 2015 Webinar: Cyber Hunting with SqrrlSqrrl
 
Sqrrl 2.0 Launch Webinar
Sqrrl 2.0 Launch WebinarSqrrl 2.0 Launch Webinar
Sqrrl 2.0 Launch WebinarSqrrl
 

Mehr von Sqrrl (20)

Transitioning Government Technology
Transitioning Government TechnologyTransitioning Government Technology
Transitioning Government Technology
 
Leveraging Threat Intelligence to Guide Your Hunts
Leveraging Threat Intelligence to Guide Your HuntsLeveraging Threat Intelligence to Guide Your Hunts
Leveraging Threat Intelligence to Guide Your Hunts
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Machine Learning for Incident Detection: Getting Started
Machine Learning for Incident Detection: Getting StartedMachine Learning for Incident Detection: Getting Started
Machine Learning for Incident Detection: Getting Started
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
User and Entity Behavior Analytics using the Sqrrl Behavior Graph
User and Entity Behavior Analytics using the Sqrrl Behavior GraphUser and Entity Behavior Analytics using the Sqrrl Behavior Graph
User and Entity Behavior Analytics using the Sqrrl Behavior Graph
 
Threat Hunting Platforms (Collaboration with SANS Institute)
Threat Hunting Platforms (Collaboration with SANS Institute)Threat Hunting Platforms (Collaboration with SANS Institute)
Threat Hunting Platforms (Collaboration with SANS Institute)
 
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar Users
 
Modernizing Your SOC: A CISO-led Training
Modernizing Your SOC: A CISO-led TrainingModernizing Your SOC: A CISO-led Training
Modernizing Your SOC: A CISO-led Training
 
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
Threat Hunting vs. UEBA: Similarities, Differences, and How They Work Together
 
The Art and Science of Alert Triage
The Art and Science of Alert TriageThe Art and Science of Alert Triage
The Art and Science of Alert Triage
 
Reducing Mean Time to Know
Reducing Mean Time to KnowReducing Mean Time to Know
Reducing Mean Time to Know
 
Sqrrl Enterprise: Big Data Security Analytics Use Case
Sqrrl Enterprise: Big Data Security Analytics Use CaseSqrrl Enterprise: Big Data Security Analytics Use Case
Sqrrl Enterprise: Big Data Security Analytics Use Case
 
The Linked Data Advantage
The Linked Data AdvantageThe Linked Data Advantage
The Linked Data Advantage
 
Sqrrl Enterprise: Integrate, Explore, Analyze
Sqrrl Enterprise: Integrate, Explore, AnalyzeSqrrl Enterprise: Integrate, Explore, Analyze
Sqrrl Enterprise: Integrate, Explore, Analyze
 
Sqrrl Datasheet: Cyber Hunting
Sqrrl Datasheet: Cyber HuntingSqrrl Datasheet: Cyber Hunting
Sqrrl Datasheet: Cyber Hunting
 
Benchmarking The Apache Accumulo Distributed Key–Value Store
Benchmarking The Apache Accumulo Distributed Key–Value StoreBenchmarking The Apache Accumulo Distributed Key–Value Store
Benchmarking The Apache Accumulo Distributed Key–Value Store
 
Scalable Graph Clustering with Pregel
Scalable Graph Clustering with PregelScalable Graph Clustering with Pregel
Scalable Graph Clustering with Pregel
 
April 2015 Webinar: Cyber Hunting with Sqrrl
April 2015 Webinar: Cyber Hunting with SqrrlApril 2015 Webinar: Cyber Hunting with Sqrrl
April 2015 Webinar: Cyber Hunting with Sqrrl
 
Sqrrl 2.0 Launch Webinar
Sqrrl 2.0 Launch WebinarSqrrl 2.0 Launch Webinar
Sqrrl 2.0 Launch Webinar
 

Kürzlich hochgeladen

tonesoftg
tonesoftgtonesoftg
tonesoftglanshi9
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationJuha-Pekka Tolvanen
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplatePresentation.STUDIO
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benonimasabamasaba
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareJim McKeeth
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...Jittipong Loespradit
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastPapp Krisztián
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxAnnaArtyushina1
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Bert Jan Schrijver
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrandmasabamasaba
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...masabamasaba
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...SelfMade bd
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...masabamasaba
 

Kürzlich hochgeladen (20)

tonesoftg
tonesoftgtonesoftg
tonesoftg
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 

Leveraging DNS to Surface Attacker Activity

  • 1. Leveraging DNS to Surface Attacker Activity March 2017 • Josh Liburdi & Chris McCubbin
  • 2. Presenters Chris McCubbin Sqrrl Director of Data Science Josh Liburdi Sqrrl Security Technologist
  • 3. Agenda • Leveraging DNS data for investigations • DNS-based data science techniques • An example of Tunneling and DGA detection
  • 5. What is DNS? Client needs to connect to: https://www.sqrrl.com Client's DNS server doesn't know where sqrrl.com is hosted, forwards query to upstream server Upstream DNS server knows sqrrl.com resolves to 104.196.225.76, returns response Client's DNS server caches response, sends response to client Client connects to https://www.sqrrl.com DNS Server https://sqrrl.com 2 3 5 DNS Server 1 4 1 2 3 4 5
  • 6. How do attackers use DNS? • Attackers target DNS – DNS spoofing – DNS reflection • Attackers utilize DNS – Tunneling – Domain Generation Algorithms (DGA) – Dynamic DNS
  • 7. Why is DNS data useful? Threat Detection Opportunity for attacker to leave traceable footprints in your network Incident Investigations Keep track of attacker access in your network
  • 8. DNS Tunneling Overview • Data encoded inside of DNS queries is sent to an attacker-controlled server • Used for command and control, data exfiltration • Bypasses common security controls (firewalls, web proxies) Local Network Local DNS Resolver Intermediate DNS Resolver *.tunnel.com DNS Tunnel Server *.tunnel.com DNS Tunnel Client Remote Network
  • 9. DNS Tunneling Overview Many queries required to transfer moderate amounts of data 1MB transfer would take ~5k domains Tunnels produce patterns paeqcigq.tunnel.com pafich3i.tunnel.com gxqwl0eaytioruga5.tunnel.com Queried DNS domains tend to be unique Assuming no repeats in data, each domain will contain unique labels
  • 10. DGA Overview def generate_domain(year, month, day): domain = "" for i in range(16): year = ((year ^ 8 * year) >> 11) ^ ((year & 0xFFFFFFF0) << 17) month = ((month ^ 4 * month) >> 25) ^ 16 * (month & 0xFFFFFFF8) day = ((day ^ (day << 13)) >> 19) ^ ((day & 0xFFFFFFFE) << 12) domain += chr(((year ^ month ^ day) % 25) + 97) return domain Method of establishing a connection with a command and control server Used to protect / hide infrastructure and evade detection Avoids DNS domain blacklisting Malware generates DNS domains based on an algorithm and a seed Seed may be hardcoded or determined dynamically (e.g., current datetime) en.wikipedia.org/wiki/Domain_generation_algorithm# Example
  • 11. DGA Overview Source: https://johannesbader.ch/2014/12/the-dga-of-newgoz/ DGAs produce patterns Visually appear “off” Human would interpret the domain as strange (pmwtrdsv.ru) or nonsensical (turnipboxsea.com) Malware may attempt to resolve many unregistered domains ci4u0c10b77f5opvn211n5poa3.comwiq yhl13dkep615aec27ue2t2t.net kguv3bd2hi317d9l8vdy4i6m.org xah67i2ayufesns8mh12h1kab.net 7m4oq6jngoka7zxtoq1taebe1.com
  • 12. DGA Overview Malware Seed # Domains in wild Alureon Thread ID + milliseconds since boot 5/day Padcrypt Date 24/day or 72/day ProsLikeFan Date, hardcoded 100/day Qadars Date 200/day Qakbot Date 5000/day Sisron Date 4/day Source: https://johannesbader.ch/
  • 16. DNS Tunnel Detection DNS Data Filter DNS Data 0. 0.5 1. 1.5 2. 2.5 NumberofDNS requests Time 1 hour buckets IP + Destination → Domain Session IP + Destination → Domain Session IP + Destination → Domain Session IP + Destination → Domain Session Collation
  • 17. • Number of queries • Number of subdomains • Average subdomain length • Average information content of subdomains Features DNS Tunnel Classification Features IP + Destination → Domain Session IP + Destination → Domain Session IP + Destination → Domain Session IP + Destination → Domain Session
  • 18. • Number of queries • Number of subdomains • Average subdomain length • Average information content of subdomains Classifier Risk Outliers Features DNS Tunnel Classification
  • 19. DNS Data Filter DNS Data DNS Tunnel Validation paeqcigq.tunnel.com pafich3i.tunnel.com gxqwl0eaytioruga5.tunnel.com IP + Destination → Domain Session IP + Destination → Domain Session IP + Destination → Domain Session IP + Destination → Domain Session Collation
  • 20. Lessons Learned from testing on Sqrrl DNS data • There are several potential sources of false positives: – CDNs – Anti-virus software – Internal DNS traffic – Popular services (Spotify, Slack, …) • Many of these organize content under long, random-looking subdomain names • Whitelisting can remove some of these false positives • A hard cut requiring > K unique subdomains per user per hour helps significantly
  • 21. Sqrrl traffic data feature plots 0 45 90 135 180 0 2250 4500 6750 9000 Number of Subdomains Phishing YouTube, Amazon AWS, CDNs, anti-virus, anti-spam sqrrl-lab.net slack-msgs.com AverageLength
  • 22. Sqrrl traffic data feature plots 0. 0.25 0.5 0.75 1. 1.25 0 2250 4500 6750 9000 11250 Number of Subdomains 0. 0.25 0.5 0.75 1. 1.25 0 225 450 675 900 1125 Number of subdomains eclampsialemontree.net slack sqrrl-lab anti-virus Ad servers UniqueQueries UniqueQueries
  • 23. eclampsialemontree.net • Queries to 284 unique subdomains with names like: – ykzcpj1j4ovv3nc1mcgg27ji7uzf4o, yhgir5h3ts3rppd3j3bph1se4rjqtj, – Pkbenvnzwo2jl2onldka17rv5uu2kd, – Kinkascic, – Kinkascie, – Kinkascig • Most queried just once, a few 2-4 times • Length always a multiple of 3, almost always 30 or 9 characters • Appears to be a malware site that attempts to inject invisible frames into ads
  • 25. DNS DGA Detection DNS Data Filter DNS Data Collation IP → Domain Session IP → Domain Session IP → Domain Session IP → Domain Session 0. 0.5 1. 1.5 2. 2.5 Requestssent Time DNS Session
  • 26. DNS DGA Classification Features Features 0. 0.1 0.2 0.2 0.3 0 1 2 3 4 5 6 Day of the week Histogram for day of the week 0. 0.04 0.07 0.11 0.14 0.18 0 2 4 6 8 10 12 14 16 18 20 22 24 Hour of the day Histogram for hour of the day IP → Domain Session IP → Domain Session IP → Domain Session IP → Domain Session • Session duration • Number of unique NxDomains • Average information content of subdomains
  • 27. DNS DGA Classification Classifier Risk Outliers Features 0. 0.1 0.2 0.2 0.3 0 1 2 3 4 5 6 Day of the week Histogram for day of the week 0. 0.04 0.07 0.11 0.14 0.18 0 2 4 6 8 10 12 14 16 18 20 22 24 Hour of the day Histogram for hour of the day • Session duration • Number of unique NxDomains • Average information content of subdomains
  • 28. DNS DGA Validation DNS Data Filter DNS Data ci4u0c10b77f5opvn211n5poa3.com wiqyhl13dkep615aec27ue2t2t.net mkguv3bd2hi317d9l8vdy4i6m.org 1xah67i2ayufesns8mh12h1kab.net 17m4oq6jngoka7zxtoq1taebe1.com Collation IP → Domain Session IP → Domain Session IP → Domain Session IP → Domain Session
  • 29. Combined DGA Risk Score -400 -200 0 200 400 600 800 1000 1200 1400 1600 1800 -400 -200 0 200 400 600 800 1000 1200 1400 1600 1800 CombinedRank Index Combined Rank Separation • Normal • DGA
  • 32. DGA
  • 34. info.sqrrl.com/download-ueba-ebook User & Entity Behavior Analytics What's included in this • What you need to know about advanced behavioral analytics • How it can automate and revolutionize threat hunting • How to use it for streamlined threat detection practices The Heart of Next-Generation Threat Hunting

Hinweis der Redaktion

  1. Phonebook for the Internet Use a DNS domain name to look up an IP address You can’t stop DNS Protocol details Runs on UDP (stateless) Queries recursively propagate until an answer is determined Server provides time-to-live (TTL) Determines how long answer should be cached
  2. potentially mention Threat Intelligence Monitor attacker infrastructure from afar
  3. Number of queries Should be large for tunnels Number of subdomains Should be large and equal to or approaching number of queries Average subdomain length Should be large for tunnels Average information content of subdomains Should be higher for tunnels
  4. Classify outlier-ness using a multivariate Bayesian classifier Assigns a ranking score for each detection candidate triple (source, destination, time) For each classifier feature (number of queries, subdomains, avg. length and info), determine the probability of that feature value among all observed traffic Greater outliers are given higher ranks Final risk score depends on the rank, the expected rate of attacks, and the time span of the analyzed data
  5. To test the detector, we use the Sqrrl DNS data We “inject” tunnels, or add them with the logs for regular traffic We can vary subdomain lengths, have tried ~ 10 - max character in length Typically include ~ 500 - 10,000 queries in a tunnel injection The system finds all the injected tunnels In the Sqrrl data, we typically have two false positives due to sophosxl AV software on two separate computers BUT, these look very similar to tunneling activity
  6. Detection based on classifying sessions (source IP, time interval) Destination is a primary domain Can eliminate all legitimate primary domains before sessionization For each session, compute feature vector Make an assumption that most DGA requests do not exist in DNS (NxDomain)
  7. Detection based on classifying triples (source IP, destination, time interval) Destination is a “registered domain” - usually a TLD plus next level google.com guardian.co.uk mysite.cloudfront.net Use records of DNS requests for subdomains under each registered domain. E.g. “maps”, docs”, “mail”, “mymap.maps” might be subdomains of “google.com” For each triple, compute feature vector to quantify properties of the subdomains under that registered domain We can ignore queries for registered domains with no subdomain - no subdomain means there can’t be any encoded message Can reasonably whitelist domains of major sites
  8. Session Duration Number of unique NxDomains Should be large Time of Day and Day of Week DGAs are not constrained to normal work hours Average information content of subdomains Should be higher for DGA
  9. Multi-classifier approach One classifier for each of three focus areas Combine results of classifiers in to a final risk score Domain Classifier How unusual given domain name in comparison to other domains seen in normal traffic? Record Classifier How unusual given DNS record? Session Classifier How unusual given DGA session?
  10. Bro logs of 90 days of Sqrrl DNS traffic Inject data with real DGA records Domains generated from real DGA reverse engineered code Model real DGA timing