Indicator Expansion Techniques Tracking Cyber Threats via DNS and Netflow Analysis

Similar documents
Analysis of Network Beaconing Activity for Incident Response

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Actionable information for security incident response

Network Security Deployment (NSD)

APPLICATION PROGRAMMING INTERFACE

DYNAMIC DNS: DATA EXFILTRATION

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

24/7 Visibility into Advanced Malware on Networks and Endpoints

Federated Threat Data Sharing with the Collective Intelligence Framework (CIF)

EVILSEED: A Guided Approach to Finding Malicious Web Pages

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

Beyond Check The Box

Network that Know. Rasmus Andersen Lead Security Sales Specialist North & RESE

Security Incident Management Essentials Compiled as a service to the community by Internet2, EDUCAUSE, and REN-ISAC

All about Threat Central

Missing the Obvious: Network Security Monitoring for ICS

Threat Advisory: Accellion File Transfer Appliance Vulnerability

EITC Lessons Learned: Building Our Internal Security Intelligence Capability

Applying Internal Traffic Models to Improve Identification of High Fidelity Cyber Security Events

Concierge SIEM Reporting Overview

Using LYNXeon with NetFlow to Complete Your Cyber Security Picture

ISP Best Practices. Addressing a DDoS Attack on a Host. Hervey Allen Network Startup Resource Center

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

On-Premises DDoS Mitigation for the Enterprise

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

REVOLUTIONIZING ADVANCED THREAT PROTECTION

What s New in Security Analytics Be the Hunter.. Not the Hunted

Threat Intelligence for Dummies. Karen Scarfone Scarfone Cybersecurity

SANS Top 20 Critical Controls for Effective Cyber Defense

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

WE KNOW IT BEFORE YOU DO: PREDICTING MALICIOUS DOMAINS Wei Xu, Kyle Sanders & Yanxin Zhang Palo Alto Networks, Inc., USA

Cyber Defense & Breach Response Privacy Issues

The Sumo Logic Solution: Security and Compliance

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

Flow Visualization Using MS-Excel

The principle of Network Security Monitoring[NSM]

Practical Threat Intelligence. with Bromium LAVA

Preetham Mohan Pawar ( )

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

We Know It Before You Do: Predicting Malicious Domains

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

Detecting Botnets with NetFlow

Bridging the gap between COTS tool alerting and raw data analysis

Know Your Foe. Threat Infrastructure Analysis Pitfalls

QRadar SIEM and FireEye MPS Integration

Adaptive Intelligent Firewall - der nächste Entwicklungssprung der NGFW. Jürgen Seitz Systems Engineering Manager

Phishing Activity Trends Report June, 2006

Application for Splunk Enterprise

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

Eight Essential Elements for Effective Threat Intelligence Management May 2015

Cymon.io. Open Threat Intelligence. 29 October 2015 Copyright 2015 esentire, Inc. 1

US-CERT Year in Review. United States Computer Emergency Readiness Team

The SIEM Evaluator s Guide

Presented by: Aaron Bossert, Cray Inc. Network Security Analytics, HPC Platforms, Hadoop, and Graphs Oh, My

Audit Logging. Overall Goals

D. Grzetich 6/26/2013. The Problem We Face Today

Service Level Agreement

Penetration Testing Report Client: Business Solutions June 15 th 2015

SES / CIF. Internet2 Combined Industry and Research Constituency Meeting April 24, 2012

Separating Signal from Noise: Taking Threat Intelligence to the Next Level

Why Device Fingerprinting Provides Better Network Security than IP Blocking. How to transform the economics of hacking in your favor

Splunk Enterprise Log Management Role Supporting the ISO Framework EXECUTIVE BRIEF

NERC CIP Ports & Services. Part 2: Complying With NERC CIP Documentation Requirements

Big Data Platform (BDP) and Cyber Situational Awareness Analytic Capabilities (CSAAC)

Taming the Wild West: Finding Evil with Cloud-Based Analytical Tools

CERT La Poste Group Infosec Observatory 40th TF-CSIRT meeting London

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

Log Analysis: Overall Issues p. 1 Introduction p. 2 IT Budgets and Results: Leveraging OSS Solutions at Little Cost p. 2 Reporting Security

ADVANCED KILL CHAIN DISRUPTION. Enabling deception networks

Threat Intelligence: An Essential Component of Cyber Incident Response. Jeanie M Larson, CISSP-ISSMP, CISM, CRISC

Endpoint Threat Detection without the Pain

Request for Records Disposition Authority

Using Lancope StealthWatch for Information Security Monitoring

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

The Third Rail: New Stakeholders Tackle Security Threats and Solutions

Threat Intelligence is Dead. Long Live Threat Intelligence!

Breach Found. Did It Hurt?

DNS Response Policy Zones Roadmap to Accellerate Adoption

Combating a new generation of cybercriminal with in-depth security monitoring

McAfee Web Gateway 7.4.1

Logs and Tactical Defence. Allan Stojanovic David Auclair University of Toronto #include <disclaimer.h>

Detection of NS Resource Record DNS Resolution Traffic, Host Search, and SSH Dictionary Attack Activities

How Attackers are Targeting Your Mobile Devices. Wade Williamson

STARTER KIT. Infoblox DNS Firewall for FireEye

Lecture 15 - Web Security

Beyond 'Check The Box': Powering Intrusion Investigations Jim Aldridge 11 March 2014

Integrating MSS, SEP and NGFW to catch targeted APTs

An Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com

Breaking the Cyber Attack Lifecycle

CS 558 Internet Systems and Technologies

QRadar SIEM and Zscaler Nanolog Streaming Service

Critical Security Controls

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

National Cybersecurity Protection System (NCPS)

Transcription:

Indicator Expansion Techniques Tracking Cyber Threats via DNS and Netflow Analysis United States Computer Emergency Readiness Team (US-CERT) Detection and Analysis January 2011

Background As the number or compromises escalates and our visibility into the network grows it becomes imperative to create automated Operational solutions to feed your Computer Network Defense machine. Tracking cyber threats through the coupling of DNS data and netflow analysis allows for a much higher level of confidence in identification of malicious activity.

Tools of the Trade The model to be discussed is currently a working concept. The model leverages the following tools Linux Apache MySQL PHP PERL SiLK DNS Tracking DB Various passive DNS feeds

Approach An historical archive (repository) of domain/ip address pair with timestamps validated malicious suspicious Unknown Maintain a Master List of vetted malicious domains second level third level fourth and fifth level Run Master List of domains against internal repository Create hash of domain/ip pair

Approach Cont... Run Master List of domains against external passive DNS sources Create hash of domain/ip pair Compare lists between external and internal domain/ip pair Comparing the two paired lists is a safe and accurate methodology for quickly identifying new IP addresses and/or new domain/ip address pair Run all the identified IP addresses through external passive DNS sources The final outputs Compared list IP address list domain list domain/ip address/timestamp list

Approach Cont... Manual validation of all lists Watch for anomalies (dictionary) run away domain lists (vhosts) push new vetted findings of domains/ip addresses/timestamps to internal repository update master list with new domains

Push Domain/IP pair with timestamp to repository Update new domains to Master List 5 1 Seed Master List Query repository of domain/ip pairs Query external pdns feeds 2 IP address file Domain file Domain/IP/Timestamp file Manual Validation Compare paired data sets create list of new domain/ip sightings 4 Reverse lookup of all IP addresses Create list of domains from reverse 3

Indicators Expansion Command and Control Infrastructure *.cars.com (badguy Command and Control domain) *.bikes.org (badguy Command and Control domain) 192.168.2.33 (badguy Command and Control IP) 192.168.2.34 (badguy Command and Control IP) 10.0.2.105 (badguy Command and Control IP) 127.0.0.4 (Domain Parking)

Indicators Expansion cont wicked.55chevy.cars.com was identified in malware and resolved to 192.168.2.34 on August 6, 2011 Second level domain is registered by joebob@mercy.com Passive DNS research on *.cars.com wicked.55chevy.cars.com 192.168.2.34 2011-05-04 wicked.55chevy.cars.com 127.0.0.4 2011-05-25 60Dynamic88.cars.com 127.0.0.4 2011-06-07 62GrandPrix.cars.com 127.0.0.4 2011-07-08 wicked.55chevy.cars.com 192.168.2.34 2011-08-06 wicked.55chevy.cars.com 127.0.0.4 2011-08-07 68GTO.cars.com 127.0.0.4 2011-08-07 55mercury.cars.com 192.168.2.33 2011-08-07

Indicator Expansion cont Passive DNS research On August 25, 2011 scott.r2addict.bikes.org (new identified domain registered by bob@comfort.com resolves to IP address 127.0.0.4 scott.r2addict.bikes.org 127.0.0.4 2011-08-25 scott.r2addict.bikes.org 10.0.2.105 2011-09-01 scott.r2addict.bikes.org 127.0.0.4 2011-09-08 scott.r2addict.bikes.org 192.168.2.34 2011-09-09 wicked.55chevy.cars.com 192.168.2.34 2011-09-09 On September 9, 2011 both scott.r2addict.bikes.org and wicked.55chevy.cars.com resolve to 192.168.2.34 validating a link between the two domains From a single malware sample we now have identified 6 malicious domains, 3 Command and Control IP s and an unusual parking methodology

Applying Netflow Current All IP address sets are manually updated and maintained on a SAN using a custom written PERL script called set_manager.pl The script uses several rw SiLK options including but not limited to pmapfilter, rwsetbuild, rwsetintersect A daily cron executes a separate script called ipstore_manager.pl Traffic analysis is conducted typically within a 24 hr period of the creation of the store Domain research is conducted manually and depending on the date of resolution flow traffic analysis could be on activity that is dated

Applying Netflow Future To be Integrated in Operational workflow in near future All indicators will be managed in the Indicator DB (to replace Master List) and set_manager.pl DNS Tracking DB content will be accessible through Indicators DB interface Allows for easier domain and IP address set management Scripts can parse and properly bucket IP address sets according to their categorization allowing for more accurate traffic stores

Applying Netflow Future Cont Write a wrapper to identify malicious netflow traffic based on the timestamp of domain/ip address pair Spawned from Ed Stoner s work DNS and Flow presentation in 2010 Allows for more accurate and targeted netflow query in automation (reduces false positives)

Technical comments or questions US-CERT Security Operations Center Email: soc@us-cert.gov Phone: +1 888-282-0870 Media inquiries US-CERT Public Affairs Email: media@us-cert.gov Phone: +1 202-282-8010 General questions or suggestions US-CERT Information Request Email: info@us-cert.gov Phone: +1 703-235-5110 * Information available at http://www.us-cert.gov/contact.html

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information