Uncovering And Visualizing Botnet Infrastructure And Behavior

Presented at DeepSec 2017 „Science First!“, Unknown date/time (Unknown duration).

How much information about a botnet can one find using a single IP address, domain name or indicator of compromise (IOC)? What kind of behavior can be determined when looking at attacker and victim infrastructure? In an attempt to discover and analyze the infrastructure behind large-scale malware activity, we began our research with known indicators from popular botnets, such as Necurs. Our presentation will highlight co-occuring malicious activities observed on the infrastructure of popular botnets. We will demonstrate practical techniques for analyzing botnet and malware traffic to provide context that can be used in identifying actor and victim infrastructure and to discover additional IOC's. We will also show how political and societal world events may influence specific types of malware activity based on locations and times of malware events. Finally, we will demonstrate a visualization framework that can be used to better understand the connections between infrastructure, threats, victims, and malicious actors.

Presenters:

  • Josh Pyorre - OpenDNS/Cisco
    Josh and Andrea are Security Researchers with Cisco Umbrella (formerly OpenDNS). Andrea began her career in Support and worked as a Sysadmin for 12 years. She has worked with Hewlett Packard and the Town of Danville, California. Security has always been her passion. She began working with OpenDNS as a Security Researcher on the Security Research team in 2015 and spends her days working to make the Internet a safer place by hunting attackers and malware. She presented at B Sides Las Vegas in 2016. Josh has worked in security for around 14 years. He's been a threat analyst at NASA, where he was part of the team that built the NASA Security Operations Center. He also helped to build the SOC at Mandiant. His professional interests involve network, computer and data security with a goal of maintaining and improving the security of as many systems and networks as possible. Josh has presented at Defcon, B Sides Austin, Chicago, San Francisco, Los Angeles and Vienna, Source Boston, Source Seattle, Derbycon, InfoSecurity World, DeepSec Vienna and Qbit Prague. He hosted season 1 of rootaccesspodcast.com
  • Andrea Scarfo - OpenDNS/Cisco
    Josh and Andrea are Security Researchers with Cisco Umbrella (formerly OpenDNS). Andrea began her career in Support and worked as a Sysadmin for 12 years. She has worked with Hewlett Packard and the Town of Danville, California. Security has always been her passion. She began working with OpenDNS as a Security Researcher on the Security Research team in 2015 and spends her days working to make the Internet a safer place by hunting attackers and malware. She presented at B Sides Las Vegas in 2016. Josh has worked in security for around 14 years. He's been a threat analyst at NASA, where he was part of the team that built the NASA Security Operations Center. He also helped to build the SOC at Mandiant. His professional interests involve network, computer and data security with a goal of maintaining and improving the security of as many systems and networks as possible. Josh has presented at Defcon, B Sides Austin, Chicago, San Francisco, Los Angeles and Vienna, Source Boston, Source Seattle, Derbycon, InfoSecurity World, DeepSec Vienna and Qbit Prague. He hosted season 1 of rootaccesspodcast.com

Links:

Similar Presentations: