adversary recon and practical - first — forum of incident … · 2016-06-12 · one weird trick....
TRANSCRIPT
Adversary Recon and Practical Defenses Using Domain and DNS OSINT
Tim HelmingDirector, Product ManagementDomainTools
Instruction Slide
• Please do not delete the title slide.• You are not required to use this template.• You are welcome to include your organization’s
logo/brand on the presentation title page. • You are also welcome to adjust the location of your
logo as long as it does not overlap/touch the FIRST logo.
• Your slides must be reviewed prior to your presentation by the FIRST Program Chair and Committee.
Contents
• OSINTforadversaryanalysis—andwhyadversaryanalysisisuseful
• WhichOSINTsourcesarewetalkingabout?• ForensicDomainMapping:NexusDiscoveryand
Expansion• Attribution/Profiling/Analyzing.Withoutlurkingon
teh darkwebs (unlessthat’syourthing)• Oh,snap,we’rebreached.Nowwhat?• ContinuousSecurity&ThreatHunting
So, me.
Beeninthesecuritygamealongtime.WhenIbegan…
-Startedasasupportguyatafirewallcompany-Eventuallyranproductatthefirewallcompany-NowrunningproductatDomainTools-Musician,radioham(WT1IM),motorcycleguy
(asacomiccharacterfromMIRcon)
Combating Cybercrime…
At the destination (defending your assets)
6
At the source (shutting down criminal networks)
Why do adversary analysis?
– Kevin Mandia
“Attribution is a proxy for risk.”
Why do adversary analysis?
– Josh RayVP, Verisign iDefense
“The pursuit of attribution, manifesting itself in adversary analysis, can be employed to improve an organization's resource allocation and security posture.”
Why do adversary analysis?Adversaryanalysis≠positiveattribution.Asolidprofilecanspeakvolumes.
• Calculatedvsopportunistic/scattershotattack• Lonewolfvsconnectednetwork• Scaleofoperations• Natureofoperations• TT&Ps
…manyofwhichcanbediscernedquickly,tohelpyoutriageindicators
Why do adversary analysis?
Asolidprofile(orpositiveattribution)enablesmultipleactions:
• Lookforlateralmovement• Discoverdwelltime(morelater)• Monitorattackers• Learnmoreviasearch(i.e.younowhaveabunchmoresearchterms)
Threat Actor OpSec and Patterns
11
It’s easier for everyone—including the bad guys—to follow patterns than to act randomly. Poor OpSec heightens their risk of exposure.
There are patterns evident in DNS/Whois OSINT that can be discerned…
…and anticipated
(…and others that can be red herrings)
Sources of OSINT• DNS lookups(manysourcesofpassive/massiveDNS.Live
lookupsarefinebutdon’tscale)• Dig (commandline)• Whoislookups (manywebsources,orport43from
commandline)• MXrecords(severalwebsources,commandlinealso
supportsthis)• Archive.org’sWayback Machine• Searchengines(thereareafewofthesetooJ)• Malwareanalysis(wewon’tbecoveringthattoday)
OSINT = Free?
Shortanswer• Piecemeal:Yes• Atscale:No(typically)
Longeranswer• Withsomework,therearethingsyoucandotoautomate
collection/queryingofOSINTinlarge(ish)volumes,but…• Considerthedomains-by-IPproblem• Thereareproductsthatsolvethescale/cross-indexing
problemforyou
Examples – introduction
Usingaphishingattack,anAPT,andanad-hocinvestigationofaDDoS service,wewillsee:
• Forensicdomainmapping• Techniques:“nexusdiscovery”
and“expansion”• Adversaryanalysistechniques
15
Begin with the domain
GoeoglleDoc.com
ScenarioGoogle document
phishing attack
Goalsprofile threat and
assess risk
Profile your adversary with this one weird trick
Initial phish domain
17
The magic of cross-indexed Whois databases….
Inferring Adversary IntentReginaldC.Rodman:BusyGuy
OSINTsources:
• commercialWhoisdataproviders
This phone number connects to other domains, all registered to Reginald Rodman. Known as “Reverse Whois”
Strong inferences:
• Targeting banks• These domains
registered within 3 days of each other
19
Goals: profile threat and assess riskNext Steps:
• Searchfordomainsinnetworklogs
• Proactivelyblockaccess• Studyattacker’sinfrastructure• Monitorfutureregistrations
Use It!
What Makes a Good Nexus?
• Uniquenessofthedatapoint• [email protected] isNOTagoodnexus• [email protected] ISagoodnexus
• Smalleris(generally)better• AhostingIPwith100Ksitesisnotgoingtotell
youmuchaboutyourtargetdomain• Asingleorlow-countIPismorelikelytoindicate
connectionandaffinity• Adatapoint withsemanticmeaningisgood
• “[email protected]”tellsussomething…
Example 2: APT 28 (FireEye report)
“WehaveseenAPT28registeratleasttwodomainsmimickingthedomainsoflegitimateorganizationsintheCaucasus…OneAPT28domainimitatedakeyChechen-focusednewswebsite,whiletheotherappearedtotargetmembersoftheArmenianmilitarybyhostingafakeloginpage.”– Page11,APT28Report
IP Nexus
OSINTsources:
• port43• passiveDNS• commercial
providers
IP Expansion
Noticeanything?
• googleproductupdate• sry-yahoo• update-windows• …etc
Apatternisclear…
OSINTsources:
• passiveDNS• commercial
providers
Example 3: DDoS for sale
DDoS brokersabound.
Example:top10booters[.]com
Weknowthissiteisbad.Butcanwelearnmoreaboutitsextendednetwork? Itsoperator(s)?
Seek Nexus…
• RegistrantName/Address:notinteresting• RegistrantEmail
– 2addresseslookinteresting(abuse@enom isnot interesting)
• DNS– IPaddress:couldbeinteresting(staytuned)– MX:onlyinterestinginthattheyhave MX– NS:notinteresting
Expansions: IP and email
Nexus:185.30.165.39• top10booters[.]com• darkbooter[.]com• darkbooter[.]net• fatal-mt2[.]net• hazebooter[.]com• hazebooter[.]net• icestresser[.]com• iddos[.]co• iddos[.]net• ionbooter[.]com• ipstressers[.]com• minecraftkings[.]net• pcgameguides[.]net
Nexus:[email protected]• ddosninja[.]com• dimension[.]li• expuse[.]in• iddos[.]co• ionbooter[.]com• ituneshacks[.]com• newmicrosoftoffice[.]com• pcgameskeys[.]net• pickmypromdress[.]com• top10booters[.]com• xboxburn[.]com• xboxonecompetitions[.]com
Attribution path
Top10booters[.]com
185.30.165.39 [email protected]
22 likely-connected domains
6 unique, non-anonymous email addresses
1 strong candidate for our attacker
22…
2 names with tight connections to top10booters
10 not-obviously-fake human names
Capitalize on “slOPSec”Sometimes,registrantsinitiallyregisteropenly,addprivacylater.Oops!(exampledotnetexplorer[.]info fromVolatileCedar)
Today: Earlier:
Capitalize on “slOPSec”CorroborateviaWayback Machineorscreenshothistorytools
Today: Earlier:
30
Apply It…
Mitigation:• Lockdownagainst
observed threats• Findandlockdown
againstexpandedthreatnetwork
Today
OSINT in Continuous Security
Forensics:• Werethesedomains
orIPsseenpreviously?
• Innocuous-lookingtrafficmighthavebeenevil
LookingBack
Prevention:• Monitornew
registrationsbythisactor
• Defendbeforeattacksarelaunched
LookingAhead
It’snotjustforIRanymore…
Oh, Snap—I’m Breached! Now What?
OHSNAP!
exfiltrationdomain.com
datahemorrhage
pwnyoudomain.comlulzdomain.com
datatrickles
Undertheradar
UseOSINTtoexpand
exfiltrationdomain.com(nexusdiscovery)->(expansion)->pwnyoudomain.comlulzdomain.comwewinulosedomain.com…etc
OK-stoppedthe leak.But…
Howlonghavetheybeeninside?Wherehavetheybeensendingmydata?Wheremighttheytrytosenditnext?time
OSINT in Continuous Security and for Hunt Teams
1)Detect initialindicators,expand toconnectedassets2) Review archivesforearlieroccurrencesofexpandedthreatnetwork
3)Monitor cybersquatters,repeat-offenderdomainregistrants
4) Proactivelyblocknewthreatinfrastructure
12
3 4
Summing Up• Adversaryanalysisisworthwhile,
especiallyforattention-gettingthreatindicators
• SourcesofOSINTabound• Piecemeallookupsarefree;at-scale
typicallyis$• Technique:nexusdiscoveryandexpansion
• “Nexus:”adatapointthatconnectsinfrastructure
• “Expansion:”thebroadersetofconnectedentities,expandedfromtheoriginalone
• Thesetechniqueshaveapplicationacrosstensesoftime
Wrapping Up
Q&A
Thank [email protected]
@timhelming