Infrastructure Tracking with Passive Monitoring and Active Probing

Presented at ShmooCon XI (2015), Jan. 18, 2015, 11 a.m. (60 minutes).

Threat intelligence is crucial in our industry to proactively monitor for attacks, detect active breaches, and analyze incidents post-mortem. Intelligence is created by researching, tracking, and interpreting attacker movements with a focus on preemptively countering malicious campaigns as soon as they emerge. In this talk, we will describe tools and methodologies we use in-house to provide context on evil at Internet scale. We will also present concrete use cases on how to leverage threat intelligence, both open source and proprietary, to track internet threats and pivot around specific indicators to further the investigative effort. Our use case of choice will be the new Zeus GameOver variant that re-emerged last summer and which we've been tracking for several months. The various aspects of campaign tracking include command and control infrastructure, preferred hosting providers, domain registration practices, and compromised client behaviors.


Presenters:

  • Anthony Kasza
    Anthony Kasza is a Security Researcher at OpenDNS where he works on a team of specialized data scientists and security experts creating actionable defensive technologies. With a strong background in networks architectures and communication protocols, Anthony researches online threats, analyzes malware, and hacks on Bro IDS.
  • Dhia Mahjoub
    Senior Security Researcher at OpenDNS, Dhia Mahjoub works on research and development problems involving DNS, security, big data analysis, and networks. He focuses on building threat detection systems based on the monitoring and analysis of traffic and hosting infrastructures. Dhia has a background in Computer Networks and holds a PhD in Computer Science from Southern Methodist University, Dallas with a speciality in graph theory applied on Wireless Sensor Networks.

Similar Presentations: