Adversary Recon and Practical Defenses Using Domain and DNS OSINT

Tim HelmingDirector, Product ManagementDomainTools

Instruction Slide

• Please do not delete the title slide.• You are not required to use this template.• You are welcome to include your organization’s

logo/brand on the presentation title page. • You are also welcome to adjust the location of your

logo as long as it does not overlap/touch the FIRST logo.

• Your slides must be reviewed prior to your presentation by the FIRST Program Chair and Committee.

Contents

• OSINTforadversaryanalysis—andwhyadversaryanalysisisuseful

• WhichOSINTsourcesarewetalkingabout?• ForensicDomainMapping:NexusDiscoveryand

Expansion• Attribution/Profiling/Analyzing.Withoutlurkingon

teh darkwebs (unlessthat’syourthing)• Oh,snap,we’rebreached.Nowwhat?• ContinuousSecurity&ThreatHunting

So, me.

Beeninthesecuritygamealongtime.WhenIbegan…

-Startedasasupportguyatafirewallcompany-Eventuallyranproductatthefirewallcompany-NowrunningproductatDomainTools-Musician,radioham(WT1IM),motorcycleguy

(asacomiccharacterfromMIRcon)

Combating Cybercrime…

At the destination (defending your assets)

6

At the source (shutting down criminal networks)

Why do adversary analysis?

– Kevin Mandia

“Attribution is a proxy for risk.”

Why do adversary analysis?

– Josh RayVP, Verisign iDefense

“The pursuit of attribution, manifesting itself in adversary analysis, can be employed to improve an organization's resource allocation and security posture.”

Why do adversary analysis?Adversaryanalysis≠positiveattribution.Asolidprofilecanspeakvolumes.

• Calculatedvsopportunistic/scattershotattack• Lonewolfvsconnectednetwork• Scaleofoperations• Natureofoperations• TT&Ps

…manyofwhichcanbediscernedquickly,tohelpyoutriageindicators

Why do adversary analysis?

Asolidprofile(orpositiveattribution)enablesmultipleactions:

• Lookforlateralmovement• Discoverdwelltime(morelater)• Monitorattackers• Learnmoreviasearch(i.e.younowhaveabunchmoresearchterms)

Threat Actor OpSec and Patterns

11

It’s easier for everyone—including the bad guys—to follow patterns than to act randomly. Poor OpSec heightens their risk of exposure.

There are patterns evident in DNS/Whois OSINT that can be discerned…

…and anticipated

(…and others that can be red herrings)

Sources of OSINT• DNS lookups(manysourcesofpassive/massiveDNS.Live

lookupsarefinebutdon’tscale)• Dig (commandline)• Whoislookups (manywebsources,orport43from

commandline)• MXrecords(severalwebsources,commandlinealso

supportsthis)• Archive.org’sWayback Machine• Searchengines(thereareafewofthesetooJ)• Malwareanalysis(wewon’tbecoveringthattoday)

OSINT = Free?

Shortanswer• Piecemeal:Yes• Atscale:No(typically)

Longeranswer• Withsomework,therearethingsyoucandotoautomate

collection/queryingofOSINTinlarge(ish)volumes,but…• Considerthedomains-by-IPproblem• Thereareproductsthatsolvethescale/cross-indexing

problemforyou

Examples – introduction

Usingaphishingattack,anAPT,andanad-hocinvestigationofaDDoS service,wewillsee:

• Forensicdomainmapping• Techniques:“nexusdiscovery”

and“expansion”• Adversaryanalysistechniques

15

Begin with the domain

GoeoglleDoc.com

ScenarioGoogle document

phishing attack

Goalsprofile threat and

assess risk

Profile your adversary with this one weird trick

Initial phish domain

17

The magic of cross-indexed Whois databases….

Inferring Adversary IntentReginaldC.Rodman:BusyGuy

OSINTsources:

• commercialWhoisdataproviders

This phone number connects to other domains, all registered to Reginald Rodman. Known as “Reverse Whois”

Strong inferences:

• Targeting banks• These domains

registered within 3 days of each other

19

Goals: profile threat and assess riskNext Steps:

• Searchfordomainsinnetworklogs

• Proactivelyblockaccess• Studyattacker’sinfrastructure• Monitorfutureregistrations

Use It!

What Makes a Good Nexus?

• Uniquenessofthedatapoint• abuse@enom.com isNOTagoodnexus• stealthreconx@gmail.com ISagoodnexus

• Smalleris(generally)better• AhostingIPwith100Ksitesisnotgoingtotell

youmuchaboutyourtargetdomain• Asingleorlow-countIPismorelikelytoindicate

connectionandaffinity• Adatapoint withsemanticmeaningisgood

• “skydaddyhacks@aol.com”tellsussomething…

Example 2: APT 28 (FireEye report)

“WehaveseenAPT28registeratleasttwodomainsmimickingthedomainsoflegitimateorganizationsintheCaucasus…OneAPT28domainimitatedakeyChechen-focusednewswebsite,whiletheotherappearedtotargetmembersoftheArmenianmilitarybyhostingafakeloginpage.”– Page11,APT28Report

IP Nexus

OSINTsources:

• port43• passiveDNS• commercial

providers

IP Expansion

Noticeanything?

• googleproductupdate• sry-yahoo• update-windows• …etc

Apatternisclear…

OSINTsources:

• passiveDNS• commercial

providers

Example 3: DDoS for sale

DDoS brokersabound.

Example:top10booters[.]com

Weknowthissiteisbad.Butcanwelearnmoreaboutitsextendednetwork? Itsoperator(s)?

Seek Nexus…

• RegistrantName/Address:notinteresting• RegistrantEmail

– 2addresseslookinteresting(abuse@enom isnot interesting)

• DNS– IPaddress:couldbeinteresting(staytuned)– MX:onlyinterestinginthattheyhave MX– NS:notinteresting

Expansions: IP and email

Nexus:185.30.165.39• top10booters[.]com• darkbooter[.]com• darkbooter[.]net• fatal-mt2[.]net• hazebooter[.]com• hazebooter[.]net• icestresser[.]com• iddos[.]co• iddos[.]net• ionbooter[.]com• ipstressers[.]com• minecraftkings[.]net• pcgameguides[.]net

Nexus:stealthreconx@gmail.com• ddosninja[.]com• dimension[.]li• expuse[.]in• iddos[.]co• ionbooter[.]com• ituneshacks[.]com• newmicrosoftoffice[.]com• pcgameskeys[.]net• pickmypromdress[.]com• top10booters[.]com• xboxburn[.]com• xboxonecompetitions[.]com

Attribution path

Top10booters[.]com

185.30.165.39 stealthreconx@gmail.com

22 likely-connected domains

6 unique, non-anonymous email addresses

1 strong candidate for our attacker

22…

2 names with tight connections to top10booters

10 not-obviously-fake human names

Capitalize on “slOPSec”Sometimes,registrantsinitiallyregisteropenly,addprivacylater.Oops!(exampledotnetexplorer[.]info fromVolatileCedar)

Today: Earlier:

Capitalize on “slOPSec”CorroborateviaWayback Machineorscreenshothistorytools

Today: Earlier:

30

Apply It…

Mitigation:• Lockdownagainst

observed threats• Findandlockdown

againstexpandedthreatnetwork

Today

OSINT in Continuous Security

Forensics:• Werethesedomains

orIPsseenpreviously?

• Innocuous-lookingtrafficmighthavebeenevil

LookingBack

Prevention:• Monitornew

registrationsbythisactor

• Defendbeforeattacksarelaunched

LookingAhead

It’snotjustforIRanymore…

Oh, Snap—I’m Breached! Now What?

OHSNAP!

exfiltrationdomain.com

datahemorrhage

pwnyoudomain.comlulzdomain.com

datatrickles

Undertheradar

UseOSINTtoexpand

exfiltrationdomain.com(nexusdiscovery)->(expansion)->pwnyoudomain.comlulzdomain.comwewinulosedomain.com…etc

OK-stoppedthe leak.But…

Howlonghavetheybeeninside?Wherehavetheybeensendingmydata?Wheremighttheytrytosenditnext?time

OSINT in Continuous Security and for Hunt Teams

1)Detect initialindicators,expand toconnectedassets2) Review archivesforearlieroccurrencesofexpandedthreatnetwork

3)Monitor cybersquatters,repeat-offenderdomainregistrants

4) Proactivelyblocknewthreatinfrastructure

12

3 4

Summing Up• Adversaryanalysisisworthwhile,

especiallyforattention-gettingthreatindicators

• SourcesofOSINTabound• Piecemeallookupsarefree;at-scale

typicallyis$• Technique:nexusdiscoveryandexpansion

• “Nexus:”adatapointthatconnectsinfrastructure

• “Expansion:”thebroadersetofconnectedentities,expandedfromtheoriginalone

• Thesetechniqueshaveapplicationacrosstensesoftime

Wrapping Up

Q&A

Thank You!thelming@domaintools.com

@timhelming