Unified DNS View to Track Threats

Presented at BruCON 0x07 (2015), Oct. 9, 2015, 2 p.m. (60 minutes)

A worldwide visibility into DNS traffic below and above the recursive level is important to develop a unified view of the Internet threat landscape. Analyzing traffic patterns below the recursive resolvers allows for the creation of models that analyze client behavior. These models serve as a valuable source of information for investigating potentially new malicious domains. Monitoring authoritative traffic above the resolvers is an excellent source of information for tracking the underlying domain/IP hosting infrastructures for malware campaigns over time. Combining these two different views of the DNS and IP space provides the analyst invaluable intelligence for detecting emerging threats. The objective of this talk is to examine the methods we use at OpenDNS to analyze traffic at both the recursive and authoritative layers. We will present novel algorithms used to help identify traffic signal patterns at the recursive layer. One of them is a spike detection algorithm which finds domains that have experienced an unexpected spike in traffic. Spikes in DNS traffic are often associated with DGAs or Exploit kit families. Consequently, developing a robust understanding of the various process that generate spikes in traffic allows one to identify new Exploit kits and DGAs. However, not all domains that spike are necessarily malicious. A challenge is sifting through the large data set and extracting the potentially harmful spikes. To accomplish this, we rely on unsupervised learning methods such as clustering to help us explore and eventually classify the data. At the same time, one should not wait until domains spike and then react, therefore we combine spike detection with proactively scrutinizing hosting infrastructures and TTPs used by adversaries in setting up their malware campaigns. With this insight we can preemptively block threats before they occur. Both approaches are complementary and they proved to be very effective at increasing our coverage of the threat search space. We will discuss various use cases that showcase our research and methods.

Presenters:

• Thomas Mathew
  Thomas Mathew is a Security Researcher at OpenDNS where he focuses on implementing innovative classifications of malware and botnets using pattern recognition techniques. Thomas holds an MS in Computer Science with a specialty in data security. Prior to joining OpenDNS, Thomas served as a researcher at the University of California (Santa Cruz), the US Naval Postgraduate School, and as a Product and Test Engineer at handsfree streaming video camera company Looxcie, Inc. He presented his research at ISOI APT 2015.
• Dhia Mahjoub
  Senior Security Researcher at OpenDNS, Dhia Mahjoub works on research and development problems involving DNS, security, big data analysis, and networks. He focuses on building threat detection systems based on the monitoring and analysis of traffic and hosting infrastructures. Dhia has a background in Computer Networks and Security, and holds a PhD in Computer Science from Southern Methodist University, Dallas with a specialty in graph theory applied on Wireless Sensor Networks. Dhia presented his research at BSides NOLA, APWG eCrime, BSides Raleigh, BotConf, BSides San Francisco, ISOI, SOURCE Boston, BlackHat, DefCon, Virus Bulletin, ShmooCon, Kaspersky SAS and will be speaking at the upcoming InfoSecurity Europe 2015. He is part of BotConf 2015 program committee and is member of the MalwareMustDie research group.

Links:

• https://brucon0x072015.sched.com/event/4LH1/unified-dns-view-to-track-threats

Similar Presentations:

• Black Hat USA 2014 / Catching Malware En Masse: DNS and IP Style
• BSidesSF 2015 / DNS Spikes, Strikes, and The Like
• DEF CON 22 (2014) / Catching Malware En Masse: DNS and IP Style