Building a Local PassiveDNS Capability for Malware Incident Response

Presented at VB2016, Oct. 6, 2016, 9 a.m. (30 minutes)

Currently, many security operations capabilities struggle with obtaining useful passive DNS data post breach. Breaches are often detected months after the attack. Due to the ephemeral nature of malicious DNS domains, existing well-known passive DNS collections lack complete visibility to aid in conducting incident response and malware forensics.

We will present a new tool to collect local passive DNS data, which will enable security operations capabilities to conduct more effective defence against malware, including APTs, zero days, and targeted attacks. Our presentation will consist of a demo of the tool, and the tool will be released for public use. We will also outline how we architected this tool, and describe each function of the tool in detail.

Presenters:

• Steve Brant - Splunk
  Steve Brant Steve Brant is currently a security strategist on the Security Practice (SecPrax) team at Splunk, where he builds solutions to assist customers in more effectively utilizing Splunk for security use cases.  He has been a successful contributor to both SplunkProfessional Services and SecPrax for over three years. Prior to joining Splunk, Steve was a Splunk consultant for a large financial organization, as well as a senior consultant for a competing SIEM developer.  Previous to that, Steve worked for over 17 years as a generalist IT consultant, for various Fortune 500 companies and the occasional startup. @TrustedTech
• Kathy Wang - Splunk
  Kathy Wang Kathy Wang is an internationally recognized malware expert, who has researched, developed, evaluated, and operationalized various solutions for detecting and preventing client-side attacks used by advanced persistent threats (APT), as they target common platforms (e.g. browser, email, mobile phones). Prior to Splunk, Kathy has held past positions such as Director of Research and Development at ManTech International, and Principal Investigator of the Honeyclient Project at The MITRE Corporation, during which she pioneered a prototype that became the basis of current cutting-edge zero-day malware detection technologies. Kathy has spoken at many security conferences and panels internationally, including RSA, DEFCON, AusCERT, and REcon. She has co-authored a book, Beautiful Security, and holds a B.S. and M.S. in electrical engineering from The University of Michigan, Ann Arbor. @wangkathy

Links:

• https://www.virusbulletin.com/conference/vb2016/abstracts/building-local-passivedns-capability-malware-incident-response
• https://www.virusbulletin.com/virusbulletin/2017/05/vb2016-paper-building-local-passive-dns-capability-malware-incident-response/

Similar Presentations:

• DEF CON 18 (2010) / SIE Passive DNS and the ISC DNS Database
• Black Hat USA 2010 / SIE Passive DNS and the ISC DNS Database
• Wild West Hackin' Fest 2018 / Passive dns -- how to run a collector, how to use the data