RBN Reloaded - Amplifying Signals from the Underground

Presented at Black Hat USA 2017, July 27, 2017, 5 p.m. (25 minutes)

Threat intelligence gains immensely in clarity and precision when signals intelligence (SIGINT) and on-the-ground human intelligence (HUMINT) work closely in tandem. This fusion offers the best opportunity to build real visibility into an adversary’s TTPs, intent, sophistication and composition. As a result, a deeper understanding of the adversary not only leads to better decision making to mitigate the threat, but also helps to proactively exploit pain points and have a longer lasting impact.

In this talk, we will illustrate how we use the network- (SIGINT) and actor-centric (HUMINT) approaches, in much the same way SIGINT and HUMINT have contributed in the fight against terrorism, organized crime and the drug trade, to proactively expose key information about sophisticated bulletproof hosting (BPH) operations that have been enabling long-lasting and lucrative cybercrime campaigns.

We will be showcasing the results of combining both approaches by highlighting details of our research into a top tier Russian BPH service that has been supporting the full spectrum (banking trojans, phishing, ransomware, etc) of cyber criminals since at least 2010. The talk will highlight key findings such as networks/ASNs, the service’s history across the underground marketplace, and relationships with other bulletproof hosters.

We will also describe a new large scale integrated methodology that combines both the network- and actor-centric approaches to track, expose and disrupt crimeware. This system is built to offer the capabilities of a search and recommender engine. The network-centric component is powered by worldwide DNS and network data that is ingested, processed and indexed at Internet scale. The actor-centric component is facilitated by exclusive access to closed underground forums, marketplaces and threat actors/groups.

Given initial intelligence from the actor or network perspective, we show how we use the search and recommender system to amplify seed signals and cast a much wider net on a richer set of crimeware assets: malware C2s, dump shops, criminal forums and jabber servers, rogue VPN and proxy services, stolen accounts shops, etc.

This talk will be beneficial to a wide audience including threat intelligence analysts, security researchers, big data engineers, investigators, and decision makers.


Presenters:

  • Jason Passwaters - VP of Intelligence, Intel 471
    Jason Passwaters is the VP of Intel at Intel 471, Inc where he leads the research effort and building out of capabilities for their global team. He has spent the last decade quietly tracking cybercrime and cyber espionage threat actors behind the scenes and leading teams around the world doing the same. He's been involved and responsible for tracking down some of the most notorious cyber criminals of the last 10 years. His previous experience includes building and running iSIGHT Partner's Global Research department, four years supporting federal law enforcement efforts targeting eastern European and other cyber threat actors, and tactical intel collection support to combat and other military operations. He also spent 12 years in the United States Marine Corps as a CI/HUMINT and Technical Surveillance Countermeasures (TSCM) Marine.
  • Dhia Mahjoub - Head of Security Research, Cisco Umbrella (OpenDNS)
    Dr. Dhia Mahjoub is the Head of Security Research at Cisco Umbrella (OpenDNS). He leads the core research team focused on large scale threat detection and threat intelligence and advises on R&D strategy. Dhia has a background in networks and security, has co-authored patents with OpenDNS and holds a PhD in graph algorithms applied on Wireless Sensor Networks problems. He regularly works with prospects and customers and speaks at conferences worldwide including Black Hat, Defcon, Virus Bulletin, BotConf, ShmooCon, FloCon, Kaspersky SAS, Infosecurity Europe, RSA, Usenix Enigma, ACSC, NCSC, and Les Assises de la sécurité.
  • David Rodriguez - Security Researcher, Cisco Umbrella (OpenDNS)
    David Rodriguez is a Security Researcher and Data Scientist at Cisco Umbrella Research (OpenDNS). He has co-authored multiple pending patents with Cisco in distributed machine learning applications centered around deep learning and behavioral analytics. He has an MA in Mathematics from San Francisco State University and previously worked at Location Labs by Avast and Esurance. David spoke at the SAI Computing Conference 2016 in London and at Data Science meetups in the Bay Area.

Links:

Similar Presentations: