Presented at
Black Hat Asia 2016,
Unknown date/time
(Unknown duration)
These days, most threat intelligence analysts know how to use passive DNS to pivot on initial indicators: given one bad domain, analysts will routinely use passive DNS to identify other domains using the same IP address or name servers, etc. Less discussed are the corner cases that make simple passive DNS methods hard to successfully employ. For example, if a domain's name servers are shared with 100,000 other domains (including many legitimate domains!), "guilt by association" based solely on name server commonality can become difficult. Fortunately, it is still possible to identify related bad domains by employing passive DNS along with various other attributes rather than just focusing on a single screening factor such as shared name servers. Audience members will learn about the emerging challenges to using Passive DNS and specific steps they can take to successfully overcome them.
Presenters:
-
Paul Vixie
- Farsight Security Inc.
Dr. Paul Vixie is the CEO of Farsight Security, Inc. In 2014, he was inducted into the Internet Hall of Fame for his work related to DNS. Previously, Dr. Vixie served as President, Chairman and Founder of Internet Systems Consortium (ISC), as President of MAPS, PAIX and MIBH, as CTO of Abovenet/MFN, and on the board of several for-profit and non-profit companies. He served on the ARIN Board of Trustees from 2005 to 2013, and as Chairman in 2008 and 2009. Dr. Vixie is a founding member of ICANN Root Server System Advisory Committee (RSSAC) and ICANN Security and Stability Advisory Committee (SSAC). Dr. Vixie has been contributing to Internet protocols and UNIX systems as a protocol designer and software architect since 1980. He earned his PhD from Keio University for work related to the Internet Domain Name System (DNS and DNSSEC).
Links:
Similar Presentations: