2

I.Introduction

"Todaymostincidentresponse teamsrelyonvendorthreatfeedstogainadditionalintelligence

abouttheattacksagainsttheirnetwork.

Yetvendorthreatintelligencealoneislimited–iftheIOCs,signatures,orotherfeedsdon'tmatchwhatinvestigatorshavefoundintheirnetworktheinvestigationitselfcancometoanabruptend."

[partoftheabstractforthistalk]

The"Magic"BehindManySecurityVendors'ThreatFeeds

• Cybercriminalsliketominimizetheireffort,andwillreuseanattack,ifsuccessful,againstmanyotherpotentialvictimsites.

• Becauseattacksarerecycled,sharingtheattack'sattributescanhelpothervictimsitesidentifyandrespond totheseattacks.

• Requiredassumption#1: yourgoalisprobablytodotwothings:– Block themaliciousbehavior(ifpossible),butatleast– Detect themaliciousbehavior(incaseeffortsatblockingfail)

• Requiredassumption#2: statistically,you'reunlikelytobeoneofthefirstsiteshit,soyou'llhavetime tolearnfromtheexperiencesofothersandtakeappropriatemeasures(butifyouareattackedfirst,thatattackatleastprovidesintelligenceforeveryoneelse).

• Requiredassumption#3:falsepositives/collateraldamagecanbekeptlowthroughwhitelistingandprofessionalfeedcuration,etc.

4

"Abracadabra"Doesn'tAlwaysYieldARabbit

• Sometimesthemagicofthreatfeedssimplydoesn'twork...• Youmightgethitbyauniqueattackmeantjustforyou.You

weren'tprotectedfromit,andnooneelsemayeverseeit.• Sometimestheremaynotbeatraditionalcontrolpointatwhicha

detectedattackcanbeautomaticallymitigated(example:classicfirewallsmayallowalloutbound connectionattemptsbydefault).

• Youmaynothavevisibility intoallnetworktraffic(example:encryptednetworktrafficsuchasPGP-encryptedemailmessages).

• Ifblockingfails,detectionisadistinctlyinferiorsecondaryoutcome ("hey,wedidatleastspot theincomingnuclearmissile,eventhoughwecouldn'tpreventitfromblastingourcity").

• Collateraldamage/falsepositivesMAYexist&beproblematic.• Sharingindicatorscanresultin intelligencebeingleaked tothe

badguys(disclosureof"sourcesandmethods").5

MoreEmptyHats

• Attribution oftenremainsahugeunsolvedproblem,sothecommunitylargelyignorestheattributionproblem(oremploysnon-scalablemanualeffortsinisolatedcases,suchastheMandiantChinareport).

• Threatfeedsareatactical"solution" thatfocusesonobservablemanifestations(likecoughsyrupforlungcancer)whilewhatweneedisagenuinestrategicsolution thatfocusesoncorrectingrootcauses (analogy:discouragesmokingandothercauses oflungcancer,ratherthanimproveoncologicaltreatmentsorsuppresssymptoms)– Cyberexample:sitesNOTdoingSAVarestilltoleratedbythecommunity,sospoofedDoStrafficremainsaproblem

– Criminalsanctuarynetworksaren'tsummarilyde-peered– Criminalsmaybenon-extraditablefromsomejurisdictions

6

II.DIY

"ThataestheticoftheStarWarsuniverse:thedo-it-yourself,hotrodethic thatGeorgeLucasexportedfromhischildhood,is

exactlythesamekindofsoulbehindwhatwedoandbuildfortheshow.Itmaynotlookpretty,butitgetsthejobdone."

AdamSavage,co-hostofMythbusters [emphasisadded]

WhyConsiderADIYModel?ManyReasons• Themarketdoesn'thavewhatyouneed/want• Whatyouwantisavailable,butyoucan'tafford tobuyit• You'vetriedwhatexists,butitisn'tworkingwellenough• There'ssomethingavailable,butwhat'savailableisproprietary

andpoorlydisclosed, evenunderNDA(andrelyingon"witchdoctoring"seemstobeless-than-standard-of-caretreatment)

• Youlikelayeredapproaches tosecurity(andDIYmightbeabletogiveyouatleastpartof"anothernine'sworth"ofincrementalimprovement)

• Youlikecraftingsolutions/controllingyourowndestiny,muchlikeF/OSSforoperatingsystemsorOpenFlow/SDNnetworking

• Nooneknowsyouruniqueenvironmentaswellasyoudo.• Also:creative"tinkerers"canpotentiallydriveinnovation and

alsopotentiallydriveecosystemimprovements8

ImplicitAssumptionsApplicableToDIYModels

• DIYcanbeasweetwaytosavecash,butitisn'tgoingtobetotally"free."YouWILLneedtoinvestsome"sweatequity," instead.

• ADIYapproachshouldn'tbejusttotallyadhoc,itshouldhaveanarticulabletheoreticalbasis/rationalfoundation

• Theapproachemployedmustbeabletobehorizontallyreplicated(e.g.,begeneralizabletoatleastyourfriends,ifnotthewholeInternet),andthuscannotrelyonthelocalexistenceofawillingexpert(orsecretheuristics)inordertosucceed

• NOTrequireatotal(andtotallyimpractical!)redesignofyouroperationalenvironment–-youneedtobeabletojust"dropitin"

• ADIYapproachCANNOTrequirethatyou"standatthestoveandstircontinually" – you'vegototherstuffyoustillhavetodo.– Forexample,manuallyaddingIPv4/32'stoalocalblocklist(as

spam/phishing/malwaregetslocallynoticedandmanuallyreported)doesn'tscale

9

ManagingSecurityExposureswithDNSRPZ• AssomeonewhohasworkedwithDNSalittle,IthinkDNSmaybe

apromisingsubstrateforimplementingDIYsecuritymeasures• DNSResponsePolicyZones(RPZ)allowustouseDNSasacontrol

point:DNSRPZcanmakeidentifiedunwanteddomainslocallyreturnNXDOMAIN (therebykeepingusersfromaccidentallywanderingintoonlineminefieldsandexperiencingtraumaticcyberamputations)

• RPZscanbepublished/sharedwithothersites,butcurrentlythereareonlyarelativelysmallnumberoflarge-scaleRPZpublishers(mostlythe"usualsuspects,"seehttp://dnsrpz.info/).

• It'swonderfultohavethosemassmarket/atscalesecurityoptions,thankyouall,butweneedmoresmallRPZproviders(theonlineequivalentofhobbyfarmersofferingexoticfruit/heirloomvegetablesatthelocalSaturdayfarmer'smarket).

10

III.DIYExample#1:BlockingSourcesofUnwelcomeBehavior

ByLeveragingPassiveDNSandRPZ

Foolmeonce,shameonyou;foolmetwice,shameonme.

Anonymous

EveryoneSeesAttacks– ButWhatDoYouDo AboutThem?

• EveryoneconnectedtotheInternetseesattemptedattacks• Sometimesthoseattacksarealreadyknowntothevendorsofthe

threatfeedsyouuse;othertimes,theymaynotbe.• Someofyoumayautomaticallysubmitthreatdatatoyourthreat

intelligenceprovider,enrichingthosefeedsandimprovingtheprotectionthateveryoneenjoys(includingyourself)

• ButsometimesNOTHINGgetsdonewiththatattackinformation.Whennothingisdoneafteranattack,abadguycanpoundonyou,and keeppoundingonyou fromwhatshouldnowbeawell-known-to-be-badlocation.Permittingthatisdumb.

• Othertimestheremaybeadelaybetweenthetimethreatinformationgetsshared,andthetimethatthreatinformationgetsincorporatedintopublicthreatfeeds.Itwouldbeusefultoreducethatwindowofvulnerability.

12

LeveragingPassiveDNS• PassiveDNSisawell-knownapproachamongthreatanalysts.

Normallyathreatanalystwilltakeaninitial"clue"(suchasasuspiciousIP,suspiciousdomain,orsuspiciousDNSserver)andusepassiveDNStofindadditionalrelatedbitsofbadness.

• Thissameprocesscanalsobeleveragedforthedevelopmentofdomainliststobeblockedviaa"DNSfirewall"implementedwithRPZ,complementingandextendingIP-basedblocking.

• Forexample,fromarecentsyslogfileonanemployeesystem:May311:34:10[snip]sshd:refusedconnectfrom118.175.5.100May311:59:12[snip]sshd:refusedconnectfrom118.175.5.100[etc]

• Thoseattemptsare gettingautomaticallyblocked,butbeinga"beltandsuspenders"sortofperson,whatelsemightweblock?

• Let'scheckpassiveDNS...13

SimplePassiveDNSfor118.175.5.100$ dnsdb_query.py -i 118.175.5.100 --after=30dmakarak.com. IN A 118.175.5.100www.makarak.com. IN A 118.175.5.100[no other domains seen in the last month]

$ whois makarak.com[...]

Registrant Name: makarakRegistrant Organization: makarakRegistrant Street: makarakRegistrant City: makarakRegistrant State/Province: Krung Thep Maha Nakhon Bangkok

Registrant Postal Code: 99999

Registrant Country: THRegistrant Phone: +999.99999999[etc]

14

PotentialActionOptions• Donothing (Afterall,theunauthorizedsshaccessattemptsare

currentlygettingblocked,butdoingnothingfeels...incomplete).• Reporttheobviouslyincomplete/inaccuratewhoisviaWDPRS

(seehttps://forms.icann.org/en/resources/compliance/complaints/whois/inaccuracy-form).Theproblematicwhoisinformationmaybeaninnocentclericalerror,adomainthat'sbeenhijacked,orsomethinglesssavory.Wedon'tknow/can'tsay.Cleaningupthewhoisisanicefirststeptofindingout.

• AddthatdomaintoalocallymaintainedRPZzone.Why?AssumethedomainmovestoanewIP.Ifwe'reblockingbyIP, oncethebadguymoves,he'sfreetodobadstuffagain(atleastuntilhegetsrelisted).Ifweblockbydomainname,thebadguy'sattempttoavoidblocklistingbymovingtoanewIPaddresswillaccomplishpreciselynothing– he'llstillbeblocked.

15

"HoldOn.What'sRPZ?"

• RPZ==DNSResponsePolicyZones,seehttps://dnsrpz.info/RPZissupportedbycurrentversionsofmultiplenameserversoftwareproducts.

• RPZallowsalocalsitetointentionallyrewrite/overridehowadomainwouldnormallyresolve.

• Forinstance,ifyoudon'twanttoallowyourlocaluserstoaccidentallyaccessexample.com,youcanmakeyourDNSreturnNXDOMAINforthatdomain,redirecttoacaptivewebportal,etc.

• ThisallowsDNStobeusedasa"firewall"ofsorts,protectingallapplicationsthatmightotherwisetrytoaccessabaddomain.

16

"ButVixie!IDon'tWanttoChaseDottedQuads!"

• Okay.YoucanstillleveragethepowerofpassiveDNSandRPZ.• Forinstance:takethelistofCIDRsontheSpamhausDROPand

EDROPlists(www.spamhaus.org/drop)asinputtopassiveDNS,checkingtoseewhatdomainsareusedinthose868CIDRs...

• ThoselistscurrentlyexpandviapassiveDNSto200,680uniquehostnamesseenwithinthepast30days,or,ifwesimplifythatlistbyrunningitagainsttheeffectiveTLDlist,wecanfind65,459uniquedomains(43,742ofthosearefromthecomTLD,FWIW)

• Domainnamesseenincludedomainnameswith:-- randomly-generated-appearingcomponents(DGA's?)-- domainsassociatedwiththeonlinesaleofRXdrugs-- brandsheavilytargetedforinfringement(Nike,Oakley,etc)-- brandsheavilytargetedbyphishers(Paypal,etc.)-- "antivirus"-relateddomains

17

IV.DIYExample#2:"CheapPublicSuffixes"RPZZone

Cheapthingsarenotgood,goodthingsarenotcheap.

ChineseProverb

Hypothetical:"CheapPublicSuffixes"RPZ• Miscreantsneedacontinualstreamofnewdomainsbecausecurrentonesgetblocklistedassoonastheybegintobeused.

• Miscreantsusefreedomains(orsubdomains),orbuythecheapestdomains theycanfind(thataren'twidelyblocklisted).

• Typicalenduserslargely(butnotexclusively)buydomainsintraditionalgTLDs orarelativelysmallsetofccTLDs.

• Priceisn'tcriticalformostuserswithjustafewdomains.• HYPOTHETICALLY,somecheappublicsuffixesmaybeadisproportionatesourceofunwantedtraffic(and,conversely,NOTamaterialsourceoflegittraffic)

• AsitemightthusconstructaDIY"threatfeed"thatblockstrafficfromcheappublicsuffixesviaRPZ(priceschangerelativelyslowly,andnewpublicsuffixesareuncommon,somaintainingsuchazoneshouldn'tbeverypainful).

19

Wait,Wait:What'saPublicSuffixAgain?• Quotinghttps://publicsuffix.org/

A"publicsuffix"isoneunderwhichInternetuserscan(orhistoricallycould)directlyregisternames.Someexamplesofpublicsuffixesare.com,.co.uk andpvt.k12.ma.us.ThePublicSuffixListisalistofallknownpublicsuffixes.

• Therearejustunder8,000publicsuffixesatthistime.Manyofthemyouwillneversee,muchlessseeheavilyabused.SomepublicsuffixesyoumayONLYseeinconjunctionwithabuse.

• Ifyou'rerunninganenterprisenetwork(ratherthananISP),youmightdecidethattherearesomepublicsuffixesthatyoucan"livewithout."

20

BlockingEntirePublicSuffixes:A"Nuclear"OptionThatApparentlyDoes NonethelessGetUsed

• Blockingentirepublicsuffixesisapotentiallyhugelyproblematicpractice, andwilllikelycausecollateraldamage.Thus,thisissomethingthatwereallyhopewouldnormallynotbenecessary.We'dhopethatthoseresponsibleforpublicsuffixeswouldcurbtheworstabusesassociatedwiththeirpartofthenamespace.

• Therefore,normallyatleastonedotisrequiredinanRPZfilterrule (e.g.,bydefaultRPZexpectsyoutobefilteringfoo.bar,notjustaTLDsuchas*.bar).However,thisdefaultcan bechanged.

• Weknow(fromfirsthandreports)thatsome(typicallyenterprise-ish)sitesDOcurrentlyblockaccesstosomeentirepublicsuffixes.

• CommercialmanagedDNSservices(suchasOpenDNSUmbrella),doofferthis– seeforexamplehttps://support.opendns.com/entries/26514730-Web-Content-Filtering-and-Security.

21

WhichPublicSuffixesAreCurrentlyLeastExpensive?• Thereare sitesthattrackatleastpartofthis:https://tld-list.com/• Ifweoperationalize"inexpensive"PublicSuffixesasthosethatare

availablefor<=$1/domain,atthetimethiswasprepared,TLDsknowntobeunderthatdollarperdomainthresholdinclude:.xyz,.top,.bid,.science,.loan,.racing,.win,.faith,.review,.trade,.date,.webcam,.party,.download,.accountant,.cricket,.pw,.press,.website,.site,.tech,.space,.online,.club,and.in

• Thatlistwouldalsoincludes.info,.com,and.us(atleastrightnow),butweshouldprobably excludethoselegacyTLDsduetocollateraldamageconsiderations.

• ThereareotherTLDsinthatlistthatalsoappeartobedealingwiththeabuseissuestheyface,suchas.siteand.in,andwhichthereforemightalsobecandidatesforexclusion.

• Whatyoudo/don'tblockisuptoyou:yournetwork,yourrules.22

"WhatIfAllTheListedSuffixesJustRaisedTheirPriceTo$1.01or$2or[fillinthenumbere here]?"

• Answer#1: Thiswouldbegood:criminalcostsjustincreased.• Answer#2:Ifnecessary,thelistingthresholdcouldobviouslybe

floatedup,particularlyiftherewereindicationsthatpricingwasbeingsetto"game"aprotectivezoneofthissort.

• Answer#3:Eventuallywe'dexpectthatmostsuffixeswouldincreaseinpriceuntileventuallythey'dbeonparwithnormal/non-saledotcomdomainpricing(thisisadecisionfortheentitycontrollingeachpublicsuffix).

• OverallAnswer: RPZcanbeusedasawayforsitestodealwithaparticularcategory ofdomains(suchasthecurrentlowertailofthepublicsuffixcostdistribution),regardlessofwhatexact"cutpoint"mighthappentobe.

23

"WhatAboutAllThoseAlready-RegisteredDomainsinCheapPublicSuffixes?"

• Traditionalper-domain-basedblocklistingcandealwithlegacyalready-registereddomaininventory.

• Mostcheapdomainsareonlyregisteredforayear,and,atrenewal,newpricingwouldtypicallyapply.

• Thecrucialpointforthishypotheticalmodelisdenyingcyber-criminalsacheapandreliablesupplyofnewly-created domains.

• Aside:thisisthesameproblemFarsightalreadydirectlyattackswithourNewlyObservedDomain(NOD)RPZs,butthisputspressureonadifferentdimensionoftheproblem.

24

V.DIYExample#3:BayesianRegistrarScoring

"Hethatwalkethwiththewise,shallbewise:afriendoffoolsshallbecomeliketothem."

Proverbs13:20,Douay-Rheims1899AmericanEdition

AnotherHypotheticalExample:BayesianFilteringofBadGuy-PreferredRegistrars

• Eachdomainhasanassociatedregistrar.SomeregistrarsarefavoritesoftheFortune500.Asecondcategoryofregistrarmightspecializeinhandlinghighvolumedomainerregistrations.Otherregistrarsspecializeinprovidingdomainsforcybercriminals.

• Let'sassumethattherearesomeregistrarslovedbythebadguysandlittleusedbylegitimatedomainregistrants.

• NowimagineapubliclyavailableDNSzonethatmapsdomainnamestoregistrars(muchastheUniversityofOregon'sRouteviewsProjectoffersDNSzonesmappingIPaddressestoASNs).

• TheregistrardataneededforsuchazoneiscurrentlyavailablefromdomainnameregistryWhois(noneedtodorecursiontotheregistrar'sWhoisdata).

26

ExampleofDomainNameRegistry Whois

DomainName:FARSIGHTSECURITY.COMRegistrar:GANDISASSponsoringRegistrarIANAID:81WhoisServer:whois.gandi.netReferralURL:http://www.gandi.netNameServer:NS5.DNSMADEEASY.COMNameServer:NS6.DNSMADEEASY.COMNameServer:NS7.DNSMADEEASY.COMStatus:clientTransferProhibitedhttps://icann.org/epp#clientTransferProhibited

UpdatedDate:14-dec-2015CreationDate:24-jan-2013[etc]

27

HowWeMightUsef(domain)àregistrar?

• ThatfunctioncouldhypotheticallybeusedinemailtomapspamvertisedURLdomainstotheregistrarused, andthenletBayesclassifiersdotheirthingwiththatadditionaltoken.

• E.G.,likethis,butforregistrarsratherthanASNs

https://spamassassin.apache.org/full/3.2.x/doc/Mail_SpamAssassin_Plugin_ASN.txt

• Anyoneinterestedinthissortofzone?

28

VI.DIYExample#4:DefaultDenyforDNS?

"Ialwayshaveissueswithtrust."

VinDiesel,AmericanPopularActor

"RiskManagement"

• Weusedtoallbephilosophicalpurists:we'ddotherightthing,fortherightreason,becauseitwastherightthingtodo.

• Now"everyone"(well,alotofpeople)havebecomepragmatists.– Theydowhatseemstohelprightnow (what'sthataboutlongterm?)– Wedowhat"pencilsout,"cost/benefitwise– Wemayonly dowhatcompliancerequirementssaywemust do.

• Thisoftenmeansgivinguphistorically-enjoyed"luxuries:"– Trust-by-default,Convenience,Privacy,BeingAGoodNetworkNeighbor– Etc.

• Example:becauseitissohardtotellfriendsfromenemies,assumeeveryoneishostileunlessprovenotherwise

• Network/systemversionofthis:"defaultdeny"policies

30

System/NetworkExamplesof"DefaultDeny"Today• $umask 077• Emailaddressesarenotsharedbydefault(trytofindapublicly

availableemaildirectoryforaninstitutionotherthanauniversity!)• Socialmediapagesareincreasinglyprivatebydefault(e.g.,

mashable.com/2014/05/22/facebook-private-default-setting/)• Apps/executablesarealluntrustedbydefault,exceptforthose

thathavebeenheavilyscrutinizedandwhitelisted.• Allportsareblockedinboundattheborderfirewall,exceptfor

specificallyallowedexceptions.• Thisisallgenerallyacceptedasanexampleofpeoplebeing

"networksavvy"or"streetwiseonline."• Thebigexception?DNS.DNSisthelast"hippieprotocol."

DNSremainsidealistic/"freelove"/"defaultpermit."(Ofcourse,thatmeansDNSalsotendstoworkprettywellbydefault)

31

FWIW,"DNSDenyByDefault"WouldNotMeanJustBlockingEndUserAccesstoArbitraryResolvers...

• Forcinguserstouseaspecifiedrecursiveresolver(normallytheirISP'srecursiveresolverortheircompany'srecursiveresolver)hasbecomeprettycommonsinceDNSChangerandsimilarthreats.Seeforexample"MessagingAnti-AbuseWorkingGroup(MAAWG)OverviewofDNSSecurity- Port53Protection,"https://www.m3aawg.org/sites/default/files/maawg_dns_port_53v1.0_2010-06.pdf

• Thatdocument'sfullofgreatrecommendations,butitdoesn'tgoasfarascallingforafull"DenybyDefault"modelforDNS.

• Todaywe'reactuallytalkingaboutforcinguseofaspecifiedrecursiveresolverANDcontrollingtheresolution(domainbydomain)thatdoes(ordoesn't)takeplaceonthatresolver,changingfromdefaultpermit(resolveanything)todefaultdeny(onlyresolvethedomainsthatarelocallynecessary).

32

AConceptual ModelFor"DefaultDeny"viaRPZ• Conceptually,ratherthanadefaultpermit("resolveeverythingby

default,exceptforthefollowingbadthingswe'lleditout")model,adefaultdenyapproachmightredirectuserstoaweb"portal"wheretheycouldrequestpermissiontoaccessanew,never-before-requesteddomain.Havingrequestedandreceivedpermissionforthatdomain,thedomainwouldthenresolve,andcontinuetoresolveunless/untilrevokedbythesite.

• Aspartofaddingarequesteddomain,asitemightautomaticallycheckthedomaincharacteristics,orreviewitsreputationatsitessuchasWOT.

• Permissioncouldevenbegrantedsemi-automatically(askforpermission,maybecompleteasimpleCaptcha,thenyou'reGTG).

• Permitteddomainscanalsobereviewedinrealtimebyasite'ssecurityteam,orauditedretrospectively(includingreviewingwhorequestedwhatdomains).

33

VII.Conclusion

"It'sagreatcountry:youcansaywhateveryoulikesolongasitisstrictlytrue—nobodywillevertakeyouseriously."

EdwardAbbey,DesertSolitaire

KeyTakeaways• Do-it-yourselfcanmakesenseasastrategyforleveragingthreat

intelligencewithouthavingtorelyontraditionalvendorthreatfeeds.

• PassiveDNSandDNSResponsePolicyZonescanbepowerfultoolsinyourDIYthreatintelligencetoolbox,complementingandsupplementingothertoolsyoumayalreadybeusing.

• We'veconsideredmultipleexamplesofhowthismightbedone:1)LeveragingPassiveDNSwithRPZ2)A"CheapPublicSuffixes"RPZ3)BayesianRegistrarScoring4)Movingto"DefaultDeny"forDNS

• Wehopeyouexperimentalittlewiththeseapproaches,andsharewhatworksforyou.

• Thankyou!Arethereanyquestions?35