Towards a Holistic Approach in Building Intelligence to Fight Crimeware

Presented at Black Hat USA 2016, Aug. 3, 2016, 1:50 p.m. (50 minutes)

To defeat your adversaries, it is crucial to understand how they operate and to develop a comprehensive view of their playing field. In this talk, we describe a holistic and scalable approach to investigating and combating cybercrime. Our strategy focuses on two perspectives: the network attack surface and the actors. The network attack surface exploited by malware manifests itself through various aspects such as hosting IP space, DNS traffic, open ports, BGP announcements, ASN peerings, and SSL certificates. The actors' view tracks trends, motivations, and TTPs of cyber criminals by infiltrating and maintaining access to closed underground forums where threat actors collaborate to plan cyber attacks. Crimeware campaigns nowadays rely heavily on bulletproof hosting for scalable deployment. We distinguish two types of such hosting infrastructures: the first consists of a large number of infected residential hosts scattered geographically that are leveraged to build a fast flux proxy network. This network is a hosting-as-a service platform for various malware and ransomware C2, phishing, carding, and botnet panels. The second type exists in dedicated servers acquired from rogue hosting companies or large abused hosting providers with the purpose of hosting exploit kits, phishing, malware C2, and other gray content. We start by using DNS traffic analysis and passive DNS mining algorithms to massively detect malware domains. After we identify the hosting IPs of these domains, we will demonstrate novel methods using DNS PTR data to further map out the entire IP space of bulletproof hosters serving these attacks. In the case of fast flux proxy networks, we leverage SSL data to map out larger sets of compromised hosts. Concurrently, we investigate underground forums for emerging signals about bulletproof hosters just about to be employed for malware campaigns.

The talk describes how to proactively bridge the gap between the actors and network views by identifying the IP space of the mentioned hosters given very few initial indicators and predictively block it. This is made possible thanks to the deployment at large scale of DNS PTR, SSL, and HTTP data provided by Project Sonar datasets and our own scanning of certain IP regions. It is undoubtedly a serious challenge facing security researchers to devise means to quickly index and search through vast quantities of security related log data. Therefore, we will also describe the backend architecture, based on HBase and ElasticSearch, that we use to index global Internet metadata so it is easily searchable and retrievable. Join us in this talk to learn about effective methods to investigate malware from both network and actors' perspectives and hear about our experience on how to deploy and mine large scale Internet data to support threat research.

Presenters:

• Thomas Mathew - OpenDNS
  Thomas Mathew is a Security Researcher at OpenDNS (now part of Cisco) where he works on implementing pattern recognition algorithms to classify malware and botnets. His main interest lies in using various time series techniques on network sensor data to identify malicious threats. Previously, Thomas was a researcher at UC Santa Cruz, the US Naval Postgraduate School, and as a Product and Test Engineer at handsfree streaming video camera company Looxcie, Inc. He presented at ISOI APT, BruCon, FloCon and Kaspersky SAS.
• Mykhailo Sakaly - Intel 471
  Mykhailo Sakaly is the Cyber Threat Research Unit Lead for the Russian language underground at Intel 471. At Intel 471, Mykhailo proactively monitors, tracks and attributes cyber threat actors, predominantly those, who originate from a Russian language underground. He has previously served at the Cybercrime Department of the Security Service of Ukraine. He made his way through various investigative roles, where he organized and directly conducted investigations of computer-related crimes, up to the level of the Deputy Chief of the Unit, tasked with intelligence gathering and coordination of analytical and investigative efforts of the Department's Headquarters and regional cybercrime teams. He also provided computer forensic support to key investigations, carried out by other branches of the Service, including terrorism and organized crime and participated in numerous joint operations with foreign Law Enforcement partners.
• Dhia Mahjoub - OpenDNS
  Dhia Mahjoub is the Technical Leader at OpenDNS Research Labs (now part of Cisco) with more than 10 years of technology research experience in network protocols, graph theory, sensor networks, and security. Dhia is the first member of the OpenDNS research team and over the past four years, has been building threat detection systems at global scale and leading research projects while providing expert advice on strategic directions. He has a background in Computer Networks and holds a PhD in Computer Science from Southern Methodist University with a specialty in graph theory applied on Wireless Sensor Networks. Dhia presented at conferences worldwide including APWG eCrime, BSides, Botconf, ISOI, SOURCE Boston, Black Hat, Defcon, Virus Bulletin, ShmooCon, Kaspersky SAS, Infosecurity Europe, Infosecurity Intelligent Defence, BruCon, Hack.lu, FloCon and RSA.

Links:

• https://www.blackhat.com/us-16/briefings.html#towards-a-holistic-approach-in-building-intelligence-to-fight-crimeware
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2016/Towards a Holistic Approach in Building Intelligence to Fight Crimeware.mp4
• https://www.youtube.com/watch?v=hBzGM3d7c1Y

Similar Presentations:

• Black Hat USA 2014 / Catching Malware En Masse: DNS and IP Style
• DEF CON 22 (2014) / Catching Malware En Masse: DNS and IP Style
• DEF CON 25 (2017) / Malicious CDNs: Identifying Zbot Domains en Masse via SSL Certificates and Bipartite Graphs