Botnet Analysis Leveraging Domain Ratio Analysis Uncovering malicious activity through statistical analysis of web log traffic
|
|
- Phillip Dixon
- 8 years ago
- Views:
Transcription
1 The Leader in Cloud Security RESEARCH REPORT Botnet Analysis Leveraging Domain Ratio Analysis Uncovering malicious activity through statistical analysis of web log traffic ABSTRACT Zscaler is a cloud-computing, Security-as-a-Service (SaaS) vendor with Internet gateways distributed around the globe. Zscaler provides policy and security based blocking and logging with a focus on HTTP(S) transactions for enterprise web traffic. In processing millions of global web transactions daily, Zscaler is in a unique position to conduct data mining to uncover emerging web based threats. During the course of compiling and analyzing statistics for the fourth quarter of 2009, an interesting and widespread compromise was discovered. Zscaler s NanoLog technology, providing immediate access to billions of web log transactions, made this possible. The following report describes Zscaler s Nanolog technology and how it was used to find the threat.
2 Approach... 3 NanoLog Technology... 3 Detection Methodology... 3 Detection Results... 4 Incident Analysis... 4 Additional Information... 8 Conclusion... 9 Copyright Zscaler 2
3 Approach Zscaler regularly mines global log data in an effort to uncover previously unidentified threats. Global log data provides a unique view of end user traffic and statistical analysis can be leveraged to highlight anonymous traffic requiring further investigation. Using domain ratio analysis, Zscaler was able to uncover previously unknown traffic for a botnet operating in the.nu domain NanoLog Technology Given the volume of web transactions traversing Zscaler s global cloud every second, efficient storage and retrieval of log data is essential. To handle this challenge, Zscaler designed and developed a binary data format that is highly scalable from a storage standpoint and exponentially more efficient than traditional relational database. Data is written and retrieved using temporal information to limit the disk I/O specifically the number of times that the hard-drive has to pick up and move its head. The NanoLogs are highly optimized to prevent duplicate writes of variable sized information, such as URL strings. Detection Methodology One of the broad statistics monitored by Zscaler is top-level domain (TLD) usage. Within this data, ratios are investigated by identifying the number of transactions per unique domains per TLD. A low ratio would mean that the transactions were broadly distributed across the many domains visited. A ratio of 1:1 for example would mean that there was approximately 1 web transaction per unique domain visited. A high ratio would indicate that there were a much larger number of transactions than unique domains visited suggesting that one or more popular domains dominated the usage of that particular TLD. Popular domains like Google, Facebook, Amazon, Yahoo, Microsoft, MySpace, Twitter, etc., increase the ratio within well-utilized generic TLDs (gtld), such as.com as a few popular domains contain a large number of the transactions for that TLD. At the same time, there are many domains within these gtlds, which will act to lower the ratio slightly though it still remains high overall. For example, October to December 2009 had.com ratios of 726:1, 702:1, and 799:1 respectively. It is interesting to further analyze domain results for less popular TLDs and specifically those that had a higher ratio than the gtlds, both from a statistical perspective as well as from a security perspective. Criminals frequently register domains with TLDs that are less in demand because they are cheaper, and in some cases the particular domain registry (maintainer of the TLD) and/or registrar (maintainer of the domain record) will have poor abuse handling procedures. Additionally, the registry and/or registrar may either be complicit in the illegal activity or be in a jurisdiction/country with a legal system that protects the domain from being de-registered or having the registration information shared with law enforcement. TLDs with a high ratio of transactions per unique domain per TLD have one or more domains with a large number of transactions. It can be valuable to sift through the records to explain the high ratio TLDs. They may represent malicious command and control (C&C) traffic or perhaps an information drop server that has a large number of transactions beaconing to the domain s server. Such a ratio could also represent benign traffic as would be the case with a popular social networking site in a particular country. Copyright Zscaler 3
4 Detection Results One such example of a benign domain within a TLD that bubbled to the top was.ly. This domain had a ratio of 2140:1, 1792:1, and 1699:1 from October to December These ratios were more than double the ratios that.com had during these months. This high ratio is explained by this TLD being relatively unpopular as far as unique domains, but having a large number of transactions to a popular domain: BIT.LY, a URL shortening service. The.NU TLD had even higher ratios: 5063:1, 8083:1, and 2824:1 from October to December The.NU TLD is assigned to the island state of Niue in the South Pacific Ocean. Wikipedia states that the TLD is particularly popular in Sweden, Denmark, the Netherlands and Belgium, as nu is the word for now in Swedish, Danish, and Dutch 1. While the domain may be popular for these countries, our ratio shows that one or more domains are dominating the transactions for this TLD. Running a query in Zscaler s NanoLogs for the.nu domains to obtain the count of transactions per domain, revealed a large percentage of the transactions going to the domain cvnxus.mine.nu. The URLs to the domain appear as: hxxp://cvnxus.mine.nu:53/ Incident Analysis 18 hosts were identified as beaconing to the cvnxus.mine.nu domain on port 53/TCP using HTTP. In some cases the beaconing was as frequent as once every 2 minutes. The beaconing activity and the port used were suspicious as 53/TCP is generally used for DNS traffic. The traffic is present in Zscaler s NanoLogs from late 2009 to January Analysis of the traffic indicates that the transaction is a connection finished transaction. Further analysis indicates that these transactions were TCP Acknowledgement (ACK) packets being sent to the cvnxus.mine.nu server without receiving a response back from cvnxus.mine.nu. Upon detection of this incident, cvnxus.mine.nu was added to the Zscaler block-list. The mine.nu domain is a DynDNS domain dynamic DNS is a service used for rapidly updating fully qualified domain names (FQDN), that is, hostname and domain name, for hosts that have dynamic IP addresses. Doing a dig on the FQDN yields the IP address that it currently resolves to: cvnxus.mine.nu. 60 IN A (The 60 is the time-to-live for the DNS record to live in DNS server cache, indicating that this record will be updated every 60 seconds by the DynDNS server.) The IP belongs to a very small Chinese netblock described as QingdaoWantuoWangluoJishuYouxianGongsi 1 Copyright Zscaler 4
5 Figure 1: whois Google results for the rather unique string QingdaoWantuoWangluoJishuYouxianGongsi show a French blog detailing an interesting incident involving this netblock as recent as December 23, The blogged incident involves an alleged 0-day PDF exploit using the Missile Defense Agency name to spread malware. Attempting to connect to the server failed. Issuing a wget command to the response was failed: Connection refused. Attempts to connect on 80 or 443 likewise failed. An Nmap port scan revealed little useful information and it is possible that the server is handling the TCP ACK traffic, but it is not responding back to the host sending the packets. 2 Copyright Zscaler 5
6 Figure 2: Nmap scan results The NanoLog records indicate that the transactions had a user agent of Internet Explorer (Unknown Version), and issued an HTTP 1.0 GET request of 210 bytes. Leveraging data partners, Zscaler researchers were able to identify the following malicious artifacts and the ports used to host them on in 2009: Date MD5 Port VirusTotal f670a220ef58bd4 53/TCP 34/41, Backdoor/Win32.PcClient 3 45d134fa0f650a df16e3bec6f7fea 443/TCP 6/41, Trojan.CryptRedol d9794a006f a01c82b8f52835a1 53/TCP 21/41, Trojan.CryptRedol 08098e4a54e f22d787456e2ca9 443/TCP 19/41, Backdoor.Win32.PoisonIvy d9c7b5ad990f5ac b9 443/TCP 14/41, Backdoor.Win32.PoisonIvy 99a07fc61b10227e e5312aed d57aa3a83233a 443/TCP 32/41, Trojan- Dropper.Win32.Agent.bhxt e326e40c6949b0 c22489af61a6816d 443/TCP 31/41, Trojan- Dropper.Win32.Agent.bhxt Upon further analysis of the infected hosts, it was determined that the customers were infected with a variant of the Backdoor/PcClient malware family. The specific variant impacting these customers was undetected by antivirus vendors. Upon execution, the malware loads three components onto the system: Backdoor component, e.g., <system folder>\yelgcgmh.d1l Keylogger component, e.g., <system folder>\yelgcgmh.dll Rootkit / driver component, e.g., <system folder>\drivers\yelgcgmh.sys (Note - the precise filenames may vary, and the rootkit piece may hide these files from view on the system.) The backdoor then beacons to a remote website using a specific port, in this case, :53. It can then receive and execute commands from a remote attacker. The keylogger logs keystrokes and saves its gathered data 3 Copyright Zscaler 6
7 to a log file usually located in the Windows system folder, for example <system folder>\log.txt. The rootkit may be added as a service and is capable of hiding processes, files, registry entries, and network traffic. Below are listed some of the FQDNs that have resolved to the command and control IP: (many/all of these domains have been identified in malware incidents). Current resolution for these domains is largely the same, with one domain no longer resolving. None of the domains are listed in the SURBL.org blacklist, Domain IP SURBL Blacklisted amos.2288.org NO cvnxus.mine.nu NO fuckdd.8800.org NO ngcc.8800.org NO nodns2.qipian.org NO packer.8800.org NO tcw8.com NO voov.2288.org NO ewms.6600.org NO cvnxus.ath.cx Does not resolve belongs to the /14 netblock, part of the AS4837 autonomous system for the China Network Communications Group (Shandong Province). Note that one of the above domains, tcw8.com, was not handled through a DynDNS domain. The domain registration information for that domain is as follows: Copyright Zscaler 7
8 Additional Information Leveraging a data-sharing partner, historical records of netflow traffic were pulled for the IP in question ( ). Numerous records confirmed a large number of hosts on the Internet beaconing back to this IP over 53/TCP. Netflow data also revealed traffic from being forwarded to Below are some of the domains that have been identified to resolve to this IP: Domain IP SURBL Blacklisted a27278a.8800.org NO cyhk.3322.org NO tgyeqp.3322.org NO Note - the above are all DynDNS domains belongs to the /24 netblock, part of the AS38356 autonomous system for TimeNet Beijing Sincerity-times Network Technology Project Ltd. The Google Safe Browsing report for AS reports at this time that over the past 90 days: 4 Copyright Zscaler 8
9 1467 sites on this network served content that resulted in malicious software being downloaded and installed without user consent 36 sites on this network functioned as intermediaries for the infection of 141 other sites 79 sites on this network infected 2884 other sites The best guess assumption with the information at hand is that the beaconing is an I m alive and infected notification sent to then notifies the next tier command and control (C&C) periodically to provide a list of hosts that can be contacted through installed backdoors and issue commands. Conclusion The analysis detailed in this report demonstrates a successful methodology utilizing Zscaler s logging capabilities to detect previously undetected infected hosts. Domain ratio analysis can be leveraged to quickly identify instances where there are a disproportionate number of transactions per site indicating a popular site, or in this case reoccurring transactions to a command and control host. It is not enough to simply have good content inspection and URL filtering technology in place, as the malware had poor anti-virus detection and the URLs did not exist in datafeeds / block lists. Organizations and vendor partners must have adequate logging and conduct regular analysis on these logs. Zscaler is in a unique position to conduct threat analysis across customer organizations worldwide and provide detailed threat analysis with the necessary protections. Once the incident was detected, Zscaler was able to quickly identify all of the infected hosts as well as push a rule into the cloud to immediately block any communication to the C&C hosts. This analysis was then shared with the impacted customers and further analysis was conducted to isolate the related malware artifacts. The anti-virus vendors running on these customer hosts did not have detection signatures available for the particular malware variant. The malware sample was shared and the needed anti-virus signatures were written and pushed into production. Subsequent sharing of this analysis with other data partners revealed others with previously undetected infected hosts beaconing to the command and control. Zscaler s customer and partner relationships allowed for thorough and professional incident response for its impacted customers as well as a broader notification to others impacted by this threat. This further demonstrates the benefits of good logging and analysis, and how Zscaler s NanoLog technology can be leveraged to detect new, previously undetected malware incidents. Copyright Zscaler 9
Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)
Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus February 3, 2015 (Revision 4) Table of Contents Overview... 3 Malware, Botnet Detection, and Anti-Virus Auditing... 3 Malware
More informationWildFire. Preparing for Modern Network Attacks
WildFire WildFire automatically protects your networks from new and customized malware across a wide range of applications, including malware hidden within SSL-encrypted traffic. WildFire easily extends
More informationComparison of Firewall, Intrusion Prevention and Antivirus Technologies
White Paper Comparison of Firewall, Intrusion Prevention and Antivirus Technologies How each protects the network Juan Pablo Pereira Technical Marketing Manager Juniper Networks, Inc. 1194 North Mathilda
More informationAPPLICATION PROGRAMMING INTERFACE
DATA SHEET Advanced Threat Protection INTRODUCTION Customers can use Seculert s Application Programming Interface (API) to integrate their existing security devices and applications with Seculert. With
More informationOperation Liberpy : Keyloggers and information theft in Latin America
Operation Liberpy : Keyloggers and information theft in Latin America Diego Pérez Magallanes Malware Analyst Pablo Ramos HEAD of LATAM Research Lab 7/7/2015 version 1.1 Contents Introduction... 3 Operation
More informationUNMASKCONTENT: THE CASE STUDY
DIGITONTO LLC. UNMASKCONTENT: THE CASE STUDY The mystery UnmaskContent.com v1.0 Contents I. CASE 1: Malware Alert... 2 a. Scenario... 2 b. Data Collection... 2 c. Data Aggregation... 3 d. Data Enumeration...
More informationTECHNICAL REPORT. An Analysis of Domain Silver, Inc..pl Domains
TECHNICAL REPORT An Analysis of Domain Silver, Inc..pl Domains July 31, 2013 CONTENTS Contents 1 Introduction 2 2 Registry, registrar and registrant 3 2.1 Rogue registrar..................................
More informationWildFire Reporting. WildFire Administrator s Guide 55. Copyright 2007-2015 Palo Alto Networks
WildFire Reporting When malware is discovered on your network, it is important to take quick action to prevent spread of the malware to other systems. To ensure immediate alerts to malware discovered on
More informationAutomating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com
Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com A number of devices are running Linux due to its flexibility and open source nature. This has made Linux platform
More informationWE KNOW IT BEFORE YOU DO: PREDICTING MALICIOUS DOMAINS Wei Xu, Kyle Sanders & Yanxin Zhang Palo Alto Networks, Inc., USA
WE KNOW IT BEFORE YOU DO: PREDICTING MALICIOUS DOMAINS Wei Xu, Kyle Sanders & Yanxin Zhang Palo Alto Networks, Inc., USA Email {wei.xu, ksanders, yzhang}@ paloaltonetworks.com ABSTRACT Malicious domains
More informationMalware Trend Report, Q2 2014 April May June
Malware Trend Report, Q2 2014 April May June 5 August 2014 Copyright RedSocks B.V. 2014. All Rights Reserved. Table of Contents 1. Introduction... 3 2. Overview... 4 2.1. Collecting Malware... 5 2.2. Processing...
More informationBeyond 'Check The Box': Powering Intrusion Investigations Jim Aldridge 11 March 2014
Beyond 'Check The Box': Powering Intrusion Investigations Jim Aldridge 11 March 2014 Introduction Many organizations have implemented a range of security products intended to facilitate security monitoring
More informationWe Know It Before You Do: Predicting Malicious Domains
We Know It Before You Do: Predicting Malicious Domains Abstract Malicious domains play an important role in many attack schemes. From distributing malware to hosting command and control (C&C) servers and
More informationWHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform
WHITE PAPER Cloud-Based, Automated Breach Detection The Seculert Platform Table of Contents Introduction 3 Automatic Traffic Log Analysis 4 Elastic Sandbox 5 Botnet Interception 7 Speed and Precision 9
More informationNemea: Searching for Botnet Footprints
Nemea: Searching for Botnet Footprints Tomas Cejka 1, Radoslav Bodó 1, Hana Kubatova 2 1 CESNET, a.l.e. 2 FIT, CTU in Prague Zikova 4, 160 00 Prague 6 Thakurova 9, 160 00 Prague 6 Czech Republic Czech
More informationThreat Spotlight: Angler Lurking in the Domain Shadows
White Paper Threat Spotlight: Angler Lurking in the Domain Shadows Over the last several months Talos researchers have been monitoring a massive exploit kit campaign that is utilizing hijacked registrant
More informationNetworks and Security Lab. Network Forensics
Networks and Security Lab Network Forensics Network Forensics - continued We start off from the previous week s exercises and analyze each trace file in detail. Tools needed: Wireshark and your favorite
More informationDetecting peer-to-peer botnets
Detecting peer-to-peer botnets Reinier Schoof & Ralph Koning System and Network Engineering University of Amsterdam mail: reinier.schoof@os3.nl, ralph.koning@os3.nl February 4, 2007 1 Introduction Spam,
More informationJPCERT/CC Internet Threat Monitoring Report [January 1, 2015 - March 31, 2015]
JPCERT-IA-2015-02 Issued: 2015-04-27 JPCERT/CC Internet Threat Monitoring Report [January 1, 2015 - March 31, 2015] 1 Overview JPCERT/CC has placed multiple sensors across the Internet for monitoring to
More information24/7 Visibility into Advanced Malware on Networks and Endpoints
WHITEPAPER DATA SHEET 24/7 Visibility into Advanced Malware on Networks and Endpoints Leveraging threat intelligence to detect malware and exploitable vulnerabilities Oct. 24, 2014 Table of Contents Introduction
More informationGetting Ahead of Malware
IT@Intel White Paper Intel Information Technology Security December 2009 Getting Ahead of Malware Executive Overview Since implementing our security event monitor and detection processes two years ago,
More informationWEB SECURITY. Oriana Kondakciu 0054118 Software Engineering 4C03 Project
WEB SECURITY Oriana Kondakciu 0054118 Software Engineering 4C03 Project The Internet is a collection of networks, in which the web servers construct autonomous systems. The data routing infrastructure
More informationThe Application Usage and Threat Report
The Application Usage and Threat Report An Analysis of Application Usage and Related Threats within the Enterprise 10th Edition February 2013 PAGE 1 Executive Summary Global Findings Since 2008, Palo Alto
More informationCYBERSECURITY INESTIGATION AND ANALYSIS
CYBERSECURITY INESTIGATION AND ANALYSIS The New Crime of the Digital Age The Internet is not just the hotspot of all things digital and technical. Because of the conveniences of the Internet and its accessibility,
More informationBreach Found. Did It Hurt?
ANALYST BRIEF Breach Found. Did It Hurt? INCIDENT RESPONSE PART 2: A PROCESS FOR ASSESSING LOSS Authors Christopher Morales, Jason Pappalexis Overview Malware infections impact every organization. Many
More informationNetworking for Caribbean Development
Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n
More informationThe Nitro Attacks. Security Response. Stealing Secrets from the Chemical Industry. Introduction. Targets. Eric Chien and Gavin O Gorman
The Nitro Attacks Stealing Secrets from the Chemical Industry Eric Chien and Gavin O Gorman Contents Introduction... 1 Targets... 1 Attack methodology... 2 Geographic Spread... 3 Attribution... 4 Technical
More informationUnknown threats in Sweden. Study publication August 27, 2014
Unknown threats in Sweden Study publication August 27, 2014 Executive summary To many international organisations today, cyber attacks are no longer a matter of if but when. Recent cyber breaches at large
More informationHoneyBOT User Guide A Windows based honeypot solution
HoneyBOT User Guide A Windows based honeypot solution Visit our website at http://www.atomicsoftwaresolutions.com/ Table of Contents What is a Honeypot?...2 How HoneyBOT Works...2 Secure the HoneyBOT Computer...3
More informationMOBILE MALWARE REPORT
TRUST IN MOBILE MALWARE REPORT THREAT REPORT: H2/2014 CONTENTS At a Glance 03-03 Forecasts and trends 04-04 Current situation: 4.500 new Android malware instances every day 05-05 Third-party App-Stores
More informationAlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals
AlienVault Unified Security Management (USM) 5.x Policy Management Fundamentals USM 5.x Policy Management Fundamentals Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,
More informationGlobal Network Pandemic The Silent Threat Darren Grabowski, Manager NTT America Global IP Network Security & Abuse Team
Global Network Pandemic The Silent Threat Darren Grabowski, Manager NTT America Global IP Network Security & Abuse Team The Internet is in the midst of a global network pandemic. Millions of computers
More informationProxy Blocking: Preventing Tunnels Around Your Web Filter. Information Paper August 2009
Proxy Blocking: Preventing Tunnels Around Your Web Filter Information Paper August 2009 Table of Contents Introduction... 3 What Are Proxies?... 3 Web Proxies... 3 CGI Proxies... 4 The Lightspeed Proxy
More informationEmail David-Kovarik@northwestern.edu Phone 847-467-5930 Fax 847-467-6000
Information Technology Information and Systems Security/Compliance Northwestern University 1800 Sherman Av Suite 209 Evanston, IL 60201 Email David-Kovarik@northwestern.edu Phone 847-467-5930 Fax 847-467-6000
More informationProtecting Your Network Against Risky SSL Traffic ABSTRACT
Protecting Your Network Against Risky SSL Traffic ABSTRACT Every day more and more Web traffic traverses the Internet in a form that is illegible to eavesdroppers. This traffic is encrypted with Secure
More informationThe Environment Surrounding DNS. 3.1 The Latest DNS Trends. 3. Technology Trends
3. The Environment Surrounding DNS DNS is used in many applications, serving as an important Internet service. Here we discuss name collision issues that have arisen with recent TLD additions, and examine
More informationRSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst
ESG Lab Review RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst Abstract: This ESG Lab review documents
More informationA Study on the Live Forensic Techniques for Anomaly Detection in User Terminals
A Study on the Live Forensic Techniques for Anomaly Detection in User Terminals Ae Chan Kim 1, Won Hyung Park 2 and Dong Hoon Lee 3 1 Dept. of Financial Security, Graduate School of Information Security,
More informationPutting Web Threat Protection and Content Filtering in the Cloud
Putting Web Threat Protection and Content Filtering in the Cloud Why secure web gateways belong in the cloud and not on appliances Contents The Cloud Can Lower Costs Can It Improve Security Too?. 1 The
More informationAnalyzing HTTP/HTTPS Traffic Logs
Advanced Threat Protection Automatic Traffic Log Analysis APTs, advanced malware and zero-day attacks are designed to evade conventional perimeter security defenses. Today, there is wide agreement that
More informationDYNAMIC DNS: DATA EXFILTRATION
DYNAMIC DNS: DATA EXFILTRATION RSA Visibility Reconnaissance Weaponization Delivery Exploitation Installation C2 Action WHAT IS DATA EXFILTRATION? One of the most common goals of malicious actors is to
More informationAlleged APT Intrusion Set: 1.php Group. Whitepaper: Alleged APT Intrusion Set: 1.php Group. 2011 Zscaler. All Rights Reserved.
Alleged APT Intrusion Set: 1.php Group Whitepaper: Alleged APT Intrusion Set: 1.php Group 2011 Zscaler. All Rights Reserved. Page 1 Alleged APT Intrusion Set: 1.php Group Summary The following release
More informationIntegrated Approach to Network Security. Lee Klarich Senior Vice President, Product Management March 2013
Integrated Approach to Network Security Lee Klarich Senior Vice President, Product Management March 2013 Real data from actual networks 2 2012, Palo Alto Networks. Confidential and Proprietary. 2008: HTTP,
More informationAcceptable Use Policy and Terms of Service
Acceptable Use Policy and Terms of Service Vox Populi Registry Ltd. 3-110 Governors Square 23 Lime Tree Bay Ave. Grand Cayman, Cayman Islands PO Box 1361, George Town, KY1-1108 www.nic.sucks Version 1.0
More information1 2013 Infoblox Inc. All Rights Reserved. Securing the critical service - DNS
1 2013 Infoblox Inc. All Rights Reserved. Securing the critical service - DNS Dominic Stahl Systems Engineer Central Europe 11.3.2014 Agenda Preface Advanced DNS Protection DDOS DNS Firewall dynamic Blacklisting
More informationA VULNERABILITY AUDIT OF THE U.S. STATE E-GOVERNMENT NETWORK SYSTEMS
A VULNERABILITY AUDIT OF THE U.S. STATE E-GOVERNMENT NETWORK SYSTEMS Dr. Jensen J. Zhao, Ball State University, jzhao@bsu.edu Dr. Allen D. Truell, Ball State University, atruell@bsu.edu Dr. Melody W. Alexander,
More informationPhishing Activity Trends
Phishing Activity Trends Report for the Month of, 27 Summarization of Report Findings The number of phishing reports received by the (APWG) came to 23,61 in, a drop of over 6, from January s previous record
More informationWeb Application Worms & Browser Insecurity
Web Application Worms & Browser Insecurity Mike Shema Welcome Background Hacking Exposed: Web Applications The Anti-Hacker Toolkit Hack Notes: Web Security Currently working at Qualys
More informationNext Generation IPS and Reputation Services
Next Generation IPS and Reputation Services Richard Stiennon Chief Research Analyst IT-Harvest 2011 IT-Harvest 1 IPS and Reputation Services REPUTATION IS REQUIRED FOR EFFECTIVE IPS Reputation has become
More informationInnovations in Network Security
Innovations in Network Security Michael Singer April 18, 2012 AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.
More informationEMERGING THREATS & STRATEGIES FOR DEFENSE. Stephen Coty Chief Security Evangelist @StephenCoty
EMERGING THREATS & STRATEGIES FOR DEFENSE Stephen Coty Chief Security Evangelist @StephenCoty Industry Analysis 2014 Data Breaches - Ponemon Ponemon 2014 Data Breach Report *Statistics from 2013 Verizon
More informationWeb Application Hosting Cloud Architecture
Web Application Hosting Cloud Architecture Executive Overview This paper describes vendor neutral best practices for hosting web applications using cloud computing. The architectural elements described
More informationCloud Services Prevent Zero-day and Targeted Attacks
Cloud Services Prevent Zero-day and Targeted Attacks WOULD YOU OPEN THIS ATTACHMENT? 2 TARGETED ATTACKS BEGIN WITH ZERO-DAY EXPLOITS Duqu Worm Causing Collateral Damage in a Silent Cyber-War Worm exploiting
More informationThe Benefits of SSL Content Inspection ABSTRACT
The Benefits of SSL Content Inspection ABSTRACT SSL encryption is the de-facto encryption technology for delivering secure Web browsing and the benefits it provides is driving the levels of SSL traffic
More informationThe Hillstone and Trend Micro Joint Solution
The Hillstone and Trend Micro Joint Solution Advanced Threat Defense Platform Overview Hillstone and Trend Micro offer a joint solution the Advanced Threat Defense Platform by integrating the industry
More informationDDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest
DDoS Attacks: The Latest Threat to Availability Dr. Bill Highleyman Managing Editor Availability Digest The Anatomy of a DDoS Attack Sombers Associates, Inc. 2013 2 What is a Distributed Denial of Service
More informationArchitecture and Data Flow Overview. BlackBerry Enterprise Service 10 721-08877-123 Version: 10.2. Quick Reference
Architecture and Data Flow Overview BlackBerry Enterprise Service 10 721-08877-123 Version: Quick Reference Published: 2013-11-28 SWD-20131128130321045 Contents Key components of BlackBerry Enterprise
More informationHow To Monitor Network Activity On Palo Alto Network On Pnetorama On A Pcosa.Com (For Free)
Monitor Network Activity Palo Alto Networks Panorama Administrator s Guide Version 6.0 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us
More informationWHITE PAPER: Cyber Crime and the Critical Need for Endpoint Security
WHITE PAPER: Cyber Crime and the Critical Need for Endpoint Security A World of Constant Threat We live in a world on constant threat. Every hour of every day in every country around the globe hackers
More informationSecurity Toolsets for ISP Defense
Security Toolsets for ISP Defense Backbone Practices Authored by Timothy A Battles (AT&T IP Network Security) What s our goal? To provide protection against anomalous traffic for our network and it s customers.
More informationMonitor Network Activity
Monitor Network Activity Palo Alto Networks Panorama Administrator s Guide Version 6.1 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us
More informationHTTPS Inspection with Cisco CWS
White Paper HTTPS Inspection with Cisco CWS What is HTTPS? Hyper Text Transfer Protocol Secure (HTTPS) is a secure version of the Hyper Text Transfer Protocol (HTTP). It is a combination of HTTP and a
More informationCisco Advanced Malware Protection for Endpoints
Data Sheet Cisco Advanced Malware Protection for Endpoints Product Overview With today s sophisticated malware, you have to protect endpoints before, during, and after attacks. Cisco Advanced Malware Protection
More information11 THINGS YOUR FIREWALL SHOULD DO. a publication of 2012 INVENIO IT A SMALL BUSINESS WHITEPAPER
11 THINGS YOUR FIREWALL SHOULD DO a publication of 2012 INVENIO IT A SMALL BUSINESS WHITEPAPER 2 THE GUIDE OF BY DALE SHULMISTRA Dale Shulmistra is a Technology Strategist at Invenio IT, responsible for
More informationShell over what?! Naughty CDN manipulations. Roee Cnaan, Information Security Consultant
Shell over what?! Naughty CDN manipulations Roee Cnaan, Information Security Consultant About me (mister) Penetration Tester DDoS fitness tester Python and Scapy programmer SCADA and ICS attacker Tools
More informationMobile Device Management Version 8. Last updated: 17-10-14
Mobile Device Management Version 8 Last updated: 17-10-14 Copyright 2013, 2X Ltd. http://www.2x.com E mail: info@2x.com Information in this document is subject to change without notice. Companies names
More informationCloud Security Primer MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU OVERLOOKING?
A Cloud Security Primer : WHAT ARE YOU OVERLOOKING? LEGAL DISCLAIMER The information provided herein is for general information and educational purposes only. It is not intended and should not be construed
More informationHow To Detect An Advanced Persistent Threat Through Big Data And Network Analysis
, pp.30-36 http://dx.doi.org/10.14257/astl.2013.29.06 Detection of Advanced Persistent Threat by Analyzing the Big Data Log Jisang Kim 1, Taejin Lee, Hyung-guen Kim, Haeryong Park KISA, Information Security
More informationPhishing Activity Trends Report June, 2006
Phishing Activity Trends Report, 26 Phishing is a form of online identity theft that employs both social engineering and technical subterfuge to steal consumers' personal identity data and financial account
More informationInspection of Encrypted HTTPS Traffic
Technical Note Inspection of Encrypted HTTPS Traffic StoneGate version 5.0 SSL/TLS Inspection T e c h n i c a l N o t e I n s p e c t i o n o f E n c r y p t e d H T T P S T r a f f i c 1 Table of Contents
More informationMobile App Reputation
Mobile App Reputation A Webroot Security Intelligence Service Timur Kovalev and Darren Niller April 2013 2012 Webroot Inc. All rights reserved. Contents Rise of the Malicious App Machine... 3 Webroot App
More informationDefend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall
Defeat Malware and Botnet Infections with a DNS Firewall By 2020, 30% of Global 2000 companies will have been directly compromised by an independent group of cyberactivists or cybercriminals. How to Select
More informationMonitoring commercial cloud service providers
Monitoring commercial cloud service providers July Author: Lassi Kojo Supervisor: Stefan Lüders CERN openlab Summer Student Report Abstract There is a growing tendency by individuals to sign-up for public
More informationADVANCED SECURITY How Zscaler Tackles Emerging Web Threats with High Speed, Real- Time Content Inspection in the Cloud
WHITE PAPER ADVANCED SECURITY How Zscaler Tackles Emerging Web Threats with High Speed, Real- Time Content Inspection in the Cloud A Zscaler ThreatLabZ Report ADVANCED SECURITY ABSTRACT Leveraging a purpose
More informationThreat Intelligence. How to Implement Software-Defined Protection. Nir Naaman, CISSP Senior Security Architect
How to Implement Software-Defined Protection Nir Naaman, CISSP Senior Security Architect Threat Intelligence 1 The Spanish flu, 1918 killing at least 50-100 million people worldwide. 2 The H1N1 Pandemic,
More informationWildFire Overview. WildFire Administrator s Guide 1. Copyright 2007-2015 Palo Alto Networks
WildFire Overview WildFire provides detection and prevention of zero-day malware using a combination of malware sandboxing and signature-based detection and blocking of malware. WildFire extends the capabilities
More informationProtecting Your POS System from PoSeidon and Other Malware Attacks
Protecting Your POS System from PoSeidon and Other Malware Attacks A Multi-tier, Defense in Depth Strategy for Securing Point of Sale Systems from Remote Access Attacks Retailers are being threatened by
More informationWHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware
WHITEPAPER How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware How a DNS Firewall Helps in the Battle against Advanced As more and more information becomes available
More informationEITC Lessons Learned: Building Our Internal Security Intelligence Capability
EITC Lessons Learned: Building Our Internal Security Intelligence Capability SESSION ID: SEC-W08 Tamer El Refaey Senior Director, Security Monitoring and Operations Emirates Integrated Telecommunications
More informationConcierge SIEM Reporting Overview
Concierge SIEM Reporting Overview Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts
More informationMingyu Web Application Firewall (DAS- WAF) - - - All transparent deployment for Web application gateway
Mingyu Web Application Firewall (DAS- WAF) - - - All transparent deployment for Web application gateway All transparent deployment Full HTTPS site defense Prevention of OWASP top 10 Website Acceleration
More informationProtecting the Infrastructure: Symantec Web Gateway
Protecting the Infrastructure: Symantec Web Gateway 1 Why Symantec for Web Security? Flexibility and Choice Best in class hosted service, appliance, and virtual appliance (upcoming) deployment options
More informationHow Attackers are Targeting Your Mobile Devices. Wade Williamson
How Attackers are Targeting Your Mobile Devices Wade Williamson Today s Agenda Brief overview of mobile computing today Understanding the risks Analysis of recently discovered malware Protections and best
More information2010 Carnegie Mellon University. Malware and Malicious Traffic
Malware and Malicious Traffic What We Will Cover Introduction Your Network Fundamentals of networks, flow, and protocols Malicious traffic External Events & Trends Malware Networks in the Broad Working
More informationBotnets: The Advanced Malware Threat in Kenya's Cyberspace
Botnets: The Advanced Malware Threat in Kenya's Cyberspace AfricaHackon 28 th February 2014 Who we Are! Paula Musuva-Kigen Research Associate Director, Centre for Informatics Research and Innovation (CIRI)
More informationCyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies
Cyber Security in Taiwan's Government Institutions: From APT To Investigation Policies Ching-Yu, Hung Investigation Bureau, Ministry of Justice, Taiwan, R.O.C. Abstract In this article, we introduce some
More informationSECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION
SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION How ThreatBLADES add real-time threat scanning and alerting to the Analytics Platform INTRODUCTION: analytics solutions have become an essential weapon
More informationPCI Security Scan Procedures. Version 1.0 December 2004
PCI Security Scan Procedures Version 1.0 December 2004 Disclaimer The Payment Card Industry (PCI) is to be used as a guideline for all entities that store, process, or transmit Visa cardholder data conducting
More informationWEB ATTACKS AND COUNTERMEASURES
WEB ATTACKS AND COUNTERMEASURES February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in
More informationLASTLINE WHITEPAPER. Large-Scale Detection of Malicious Web Pages
LASTLINE WHITEPAPER Large-Scale Detection of Malicious Web Pages Abstract Malicious web pages that host drive-by-download exploits have become a popular means for compromising hosts on the Internet and,
More informationCopyright 2013, 3CX Ltd. http://www.3cx.com E-mail: info@3cx.com
Manual Copyright 2013, 3CX Ltd. http://www.3cx.com E-mail: info@3cx.com Information in this document is subject to change without notice. Companies names and data used in examples herein are fictitious
More informationITSC Training Courses Student IT Competence Programme SIIS1 Information Security
ITSC Training Courses Student IT Competence Programme SI1 2012 2013 Prof. Chan Yuen Yan, Rosanna Department of Engineering The Chinese University of Hong Kong SI1-1 Course Outline What you should know
More informationContent-ID. Content-ID URLS THREATS DATA
Content-ID DATA CC # SSN Files THREATS Vulnerability Exploits Viruses Spyware Content-ID URLS Web Filtering Content-ID combines a real-time threat prevention engine with a comprehensive URL database and
More informationDefend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall
Defeat Malware and Botnet Infections with a DNS Firewall By 2020, 30% of Global 2000 companies will have been directly compromised by an independent group of cyberactivists or cybercriminals. How to Select
More informationControlling Risk, Conserving Bandwidth, and Monitoring Productivity with Websense Web Security and Websense Content Gateway
Controlling Risk, Conserving Bandwidth, and Monitoring Productivity with Websense Web Security and Websense Content Gateway Websense Support Webinar January 2010 web security data security email security
More informationUncover security risks on your enterprise network
Uncover security risks on your enterprise network Sign up for Check Point s on-site Security Checkup. About this presentation: The key message of this presentation is that organizations should sign up
More informationCascadia Labs URL Filtering and Web Security
Presented by COMPARATIVE REVIEW Cascadia Labs URL Filtering and Web Security Results from Q4 2008 Executive Summary Companies rely on URL filtering and Web security products to protect their employees,
More informationSecurity Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis?
Security Threat Kill Chain What log data would you need to identify an APT and perform forensic analysis? This paper presents a scenario in which an attacker attempts to hack into the internal network
More informationINCREASINGLY, ORGANIZATIONS ARE ASKING WHAT CAN T GO TO THE CLOUD, RATHER THAN WHAT CAN. Albin Penič Technical Team Leader Eastern Europe
INCREASINGLY, ORGANIZATIONS ARE ASKING WHAT CAN T GO TO THE CLOUD, RATHER THAN WHAT CAN Albin Penič Technical Team Leader Eastern Europe Trend Micro 27 years focused on security software Headquartered
More informationez Agent Administrator s Guide
ez Agent Administrator s Guide Copyright This document is protected by the United States copyright laws, and is proprietary to Zscaler Inc. Copying, reproducing, integrating, translating, modifying, enhancing,
More information