threatconnect and farsight researchers tackle a grizzly (steppe) · 2017. 12. 1. · • recently...
TRANSCRIPT
![Page 1: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/1.jpg)
1
© Copyright 2017 Farsight Security, Inc. All Right Reserved. © Copyright 2017 Farsight Security, Inc. All Right Reserved.
ThreatConnectandFarsightResearchersTackleaGrizzly(Steppe)
Analysis and Update on JAR Report
![Page 2: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/2.jpg)
2
INTRODUCTION
KYLEEHMKETHREATCONNECT
ERICZIEGASTFARSIGHTSECURITY
• THREAT INTE L L IGENCE R E S EARCHER
• RECENT LY WORK ING ON RE S EARCH INTO RUSS I AN E L ECT ION
ACT I V I T Y AND TARGETED E F FORTS AGA INST B E L L INGCAT , WADA , AND OTHERS .
• D I S T INGU I SHED D I S TR I BUTED S Y S TEMS ENG INEER
• DEVE LOPED THE S ECUR I T Y I N FORMAT ION EXCHANGE ( S I E ) –
R EA L - T IME DATA COL L ECT ION AND D I S TR I BUT ION IN FRASTRUCTURE
• PRESENTS AT S ECUR I T Y CONFERENCES ABOUT DDOS , MANAGES S INKHOLES , EVANGEL I Z E S PAS S I VE DNS
![Page 3: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/3.jpg)
3
AGENDA
● INTRODUCTIONTOPIVOTINGWITHPASSIVEDNS&WHOIS
● THREATCONNECT’SINTEGRATION● USINGTHEFARSIGHTDNSDBINTEGRATIONINTHREATCONNECT
TOENHANCETHEGRIZZLYSTEPPEJARANDMAPOUTANADVERSARY’SINFRASTRUCTURE
![Page 4: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/4.jpg)
4
DNS RECURSION / PASSIVE DNS
DNS Servers
www.example.com
93.184.216.34
Devices & Users
Registry Servers
Recursive Server
Root Servers
Cache
Farsight Security
![Page 5: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/5.jpg)
5
DNS DATA WORLDWIDE - OUR SENSOR ARRAY
GLOBAL COVERAGE
DIVERSE SOURCES • Consumer • Government • Education • Enterprise • ISPs & Mobile • Social media
REAL-TIME & HISTORIC • 200k+ Resolutions / sec • 5+ TB / Day • 100+ Billion DNS Resolutions
![Page 6: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/6.jpg)
6
TWO WAYS TO EMPOWER SECURITY OPERATIONS
I. SECURITY INFORMATION EXCHANGE • Proactivelydetectandblock• EmpoweryourFirewall&MailServers• 200,000+observations/second• Compliantwithleadingprotocolsforeasyingestion
II. DNS INTELLIGENCE DATABASE – DNSDB • World’slargesthistoricdatabaseofDNSresolutionandallrecords
• EmpoweryourSIEMandThreatPlatform• Started2007,rebuiltin2010,updatedinreal-time,100+Billionresolutionsrecorded
• APIandOn-PremSolution
SIE (REAL-TIME Streaming)
DNSDB (HISTORIC)
![Page 7: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/7.jpg)
7
THREATCONNECTANDDNSDB:DNSASAMAP
§ DNSISUSEDEVERYWHERE§ Desktop,Mobile,Laptops,Servers,Sites
§ MAPEXISTINGINFRASTRUCTUREBASEDONOBSERVATIONS§ Naturallyavoidprivateinformation(weavoidknowingwhoqueriedwhat)
§ OBSERVATIONS&FACTSàCONTEXTFORINVESTIGATIONS
àENHANCETHREATINTELLIGENCE
§ MISCREANTSNEEDDNSFORTHEIRINFRASTRUCTURE,TOO
DNSDataCan’tbefaked
![Page 8: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/8.jpg)
8
PIVOTING:
UNDERSTANDING PIVOTING WITH PASSIVE DNS AND WHOIS
![Page 9: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/9.jpg)
9
PIVOTING: GUILT BY ASSOCIATION – PASSIVE DNS
KNOWN BAD HOSTNAME OR IP ADDRESS
WHAT OTHER HOST NAMES AT THE SAME ADDRESS AT THE SAME TIME?
KNOWN BAD DOMAIN
WHAT OTHER HOSTS ARE IN THE DOMAIN?
WHAT OTHER DOMAINS ARE SERVED BY THE SAME NAMESERVER?
WHAT OTHER INFRASTRUCTURE IS HOSTED IN THE SURROUNDING NETWORK BLOCK?
![Page 10: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/10.jpg)
10
PIVOTING: GUILT BY ASSOCIATION – PASSIVE DNS
SIMILAR NAMING PATTERNS
FAST-FLUX BOTNET INFRASTRUCTURE
UNCOMMON NAMES USED IN MANY DOMAINS
DOMAIN GENERATION ALGORITHMS
SIMILAR LOOKING ANSWERS SOA RECORDS?
TXT RECORDS? SPF RECORDS?
![Page 11: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/11.jpg)
11
PIVOTING PASSIVE DNS: REDUCING FALSE POSITIVES
INDICATOR FOR A HOSTNAME OR IP ADDRESS
KNOWN REVERSE PROXY SERVICE? KNOWN SINKHOLE? HOSTING SERVICE? DOMAIN PARKING SERVICE? DYNAMIC DNS SERVICE? WIDELY USED CDN INFRASTRUCTURE?
Example: “ICE takedown mooo.com”
![Page 12: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/12.jpg)
12
PIVOTING WHOIS: COMMON REGISTRATION FINGERPRINTS
KNOWN BAD DOMAIN REGISTRATION EMAIL USED ELSEWHERE? SAME OR SIMILAR REGISTRATION NAME USED ON OTHER DOMAINS? SAME OR SIMILAR POSTAL OR PHONE INFORMATION USED ON OTHER DOMAINS?
Doesn’t matter if registration is real or faked – just similar. One known bad domain could lead to more. Similar registration information (and hosting patterns) helps confirm two domains could be managed by same actor.
Check out https://www.domaintools.com/partners/integrations/threatconnect/
![Page 13: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/13.jpg)
13
PIVOTING:
PIVOTING EXAMPLES
![Page 14: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/14.jpg)
14
PIVOTING EXAMPLE: REGISTRAR HACK
;; first seen: 2011-09-04 20:17:34 -0000 ;; last seen: 2011-09-04 21:40:24 -0000 betfair.com. IN NS ns1.yumurtakabugu.com. betfair.com. IN NS ns2.yumurtakabugu.com.
acer.com. betfair.com. dell.co.kr. hsbc.co.kr. nationalgeographic.com. ups.com. vodafone.com. ...more...
![Page 15: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/15.jpg)
15
PIVOTING EXAMPLE: SPAM -> CANADIAN PHARMA DOMAINS
healthtr.com medicacpr.ru medicannk.com mediccker.ru mediccklr.ru medicehok.com medicelcr.ru medicellk.com medicemur.ru medicheek.com medichmar.ru …etc…
medicostb.com HOSTED ON SAME IPS
![Page 16: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/16.jpg)
16
PIVOTING EXAMPLE: ZEUS DOMAINS
xsnnsynlsnfhklun.com
xqoyjkmnrhqmxpty.net outqrpskulndkxne.info xsnnsynlsnfhklun.com aonqrnernvqret.net gkoijyqmyjklqpv.info llnepksnvvqlzzrs.info krirfqkmckkssgol.biz www.jfjpdsqirhsypqnn.org jfjpdsqirhsypqnn.org vroxnpojiomtenlq.biz uitppyflfsnkpxid.info jwdwlqqqqiwhxkt.com ryqqfjhctkptirn.biz pcrslsynooqorrwj.biz rjtsnpveowswsglp.com cqojeuyikosljoqw.biz ttfhvhmusnkkov.net
same IP
![Page 17: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/17.jpg)
17
PIVOTING EXAMPLE: SEARCH “Z-BOT FAST-FLUX”
lindabstewart.com (ß zeus-tracker)
arexan.at astro-travels.net boombom.at complianceanyone.ru csh0p.cc cyajon.at
dumpstreet.vc gmumwmiwoqegwiwo.org jvcc.su lictheshallunitedenteit.ru magasoldator.ru
missionsthhartmanencopa.com monpasevashumamin.cm mrbin.cc myprivatepicts.com popeyeds.cc
robinson98.com royaldumps.tw ruise.ru sdn-comm.at termlawfulfeessoft.ru try2swipe.me try2swipe.ws
unclesam.ws uoeeukyackaagagg.org uvvv.ru verifyandmeet.com vvservop.at ycorporation.ru
anymansjentnrwe.net bigbropos.top ekrosha.com kqwenhanebnbama.net. kronashjeeeaqqforny.com
lkdmsmnfjznfreqas.com mcduck.org naheqbhbzgbnqbza.net njandhasdnppp.com
immortald.ru. marcusd.ru oqwnqwnfauwneebd.net paysell.bz prvtzone.ws ronymanyantiynewww.net
try2swipe.ws verified.vc wjenqianywenet.net
Combinations of IP hosting patterns, expanding into subnets, nameservers, other information Fast-flux infrastructure has been resilient through multiple takedowns
2015
2016
2017 / today
![Page 18: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/18.jpg)
18
HOW FARSIGHT DATA IS USED
FARSIGHT SECURITY
THR EA T P L A T FORMS
F I R EWA L L S
MA I L S E R V E R S
O R CH E S T RA T I ON / AU TOMAT I ON
BU L K QU E R I E S
MACH I N E L E A RN I NG
S I EMS
![Page 19: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/19.jpg)
19
USINGFARSIGHTDNSDBINTEGRATIONINTHREATCONNECT
![Page 20: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/20.jpg)
20
USINGFARSIGHTDNSDBINTEGRATIONINTHREATCONNECT
![Page 21: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/21.jpg)
21
THEGRIZZLYSTEPPEJAR
![Page 22: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/22.jpg)
22
GRIZZLYSTEPPEJAR-WHATISIT?
JointAnalysisReport
• December29,2016
• Informationfromseveralagencies
• Containedgeneralinformationonhackingand911IOCsforseveralRUthreatsandmalware
• Recommendedmitigations
• “ThreatsfromIOCs”
Strengths
• LotsofIOCs
• Responsive
• VarietyofThreats
Weaknesses
• LotsofIOCs
• Nocontext
• LotsofTOR• Notreallythreat
intelligence
![Page 23: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/23.jpg)
23 23
GrizzlySteppeJAR-Indicators?
GRIZZLYSTEPPEJAR–INDICATORS?
![Page 24: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/24.jpg)
24 24
GrizzlySteppeJAR-Indicators?
GRIZZLYSTEPPEJAR–INDICATORS?
![Page 25: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/25.jpg)
25 25
GrizzlySteppeJAR-Indicators?
GRIZZLYSTEPPEJAR–INDICATORS?
![Page 26: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/26.jpg)
26
GRIZZLY STEPPE JAR - RECEPTION?NOTGOOD
26
![Page 27: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/27.jpg)
27
USINGUSGGIVESYOULEMONS
Don’tdespairordiscount
• Findthreadsyoucanpullon• Workbackwardstofindthe
intelligenceapplicabletotheindicators
• Whenpossibleattributeindicatorstoanactor
• Enrichtheindicatorsandpivotfromthemtofindasmuchasyoucan
• Continuetracking
OurProcess
• UseThreatConnecttofindoutwhat’salreadyknownaboutindicatorsandwhatthey’reassociatedwith
• UseFarsightandWHOISintegrationstoidentifyregistrationandhostingconsistenciestoknowntactics
• UsepassiveDNStoidentifydomainco-locations
• MonitorIPs,registrantemailaddresses,andboutiquenameservers
27
![Page 28: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/28.jpg)
28
USINGTHREATCONNECTANALYZE
![Page 29: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/29.jpg)
29
USINGTHREATCONNECTANALYZE
![Page 30: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/30.jpg)
30
APATTERN?!??!?!
30
![Page 31: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/31.jpg)
31
FINDINGTHETHREADTOPULL
FocusingResearch
• Can’tmakeananalyticleap
• Reviewedthose80IPsü Categories
- IPsalreadyassociatedwithFANCYBEAR
- IPsthathosteddomainsalreadyassociatedwithFANCYBEAR
- IPsthathosteddomainswithregistrationconsistenciestopreviousFANCYBEARdomains
- Newindicatorsweidentifiedfrompivotingoffoffreshinformation
31
![Page 32: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/32.jpg)
32
FANCYBEAR-THEYHAVEN’TSTOPPEDSOWHYSHOULDWE?
ClintonCampaign
• ShortenedURLs
DNC
• misdepatrment[.]com
DCCC
• actblues[.]com
WADA/CAS
• wada-awa[.]org
• wada-arna[.]org
• tas-cass[.]org
Mouthpieces
• Guccifer2.0
• DCLeaks
• Anpoland
• FancyBearsHackTeam32
![Page 33: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/33.jpg)
33
![Page 34: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/34.jpg)
34
![Page 35: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/35.jpg)
35
![Page 36: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/36.jpg)
36
![Page 37: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/37.jpg)
37
![Page 38: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/38.jpg)
38
![Page 39: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/39.jpg)
39
FINDINGS
39
AssociationstoFancyBear
• 43offirst80IPs
AdditionalIndicators
• 68domains• 17IPaddresses
ApplyingIntelligence
• Nocontext>associations>additionalintel
![Page 40: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/40.jpg)
40
MONITORINGNAMESERVERSANDTACTICS
• FANCYBEAR
40
Newnameservers
• Nemohosts[.]com
• Bacloud[.]com
• Njal[.]la
AdditionalTactics
• Registrationtactics
InfrastructureNecessitatesInteraction
• Procurement• Expenses
![Page 41: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/41.jpg)
41
CONCLUSION
• FANCYBEAR
41
Gainadditionalinsight
• Breadthandsophisticationofcampaign• Otherindicators
Increasesthreatactors’cost
• Themoretheyhavetoredotheirinfrastructure,thebetter
Sharingenablesorganizationswithinandoutsideofyoursector
• Actorsusesimilarinfrastructureandtoolsagainstavarietyoftargets
![Page 42: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/42.jpg)
42
Q&A
THANK YOU FOR YOUR ATTENTION.
Q U E S T I O N S ?
ThreatConnect.com Farsightsecurity.com
![Page 43: ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY WORKING ON RESEARCH INTO RUSSIAN ELECTION ACTIVITY AND TARGETED EFFORTS AGAINST BELLINGCAT,](https://reader035.vdocuments.net/reader035/viewer/2022071609/6147f236a830d0442101c3ad/html5/thumbnails/43.jpg)
43
© Copyright 2017 Farsight Security, Inc. All Right Reserved. © Copyright 2017 Farsight Security, Inc. All Right Reserved.
ThreatConnectandFarsightResearchersTackleaGrizzly(Steppe)
Analysis and Update on JAR Report