ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY...
Transcript of ThreatConnect and Farsight Researchers Tackle a Grizzly (Steppe) · 2017. 12. 1. · • RECENTLY...
1
© Copyright 2017 Farsight Security, Inc. All Right Reserved. © Copyright 2017 Farsight Security, Inc. All Right Reserved.
ThreatConnectandFarsightResearchersTackleaGrizzly(Steppe)
Analysis and Update on JAR Report
2
INTRODUCTION
KYLEEHMKETHREATCONNECT
ERICZIEGASTFARSIGHTSECURITY
• THREAT INTE L L IGENCE R E S EARCHER
• RECENT LY WORK ING ON RE S EARCH INTO RUSS I AN E L ECT ION
ACT I V I T Y AND TARGETED E F FORTS AGA INST B E L L INGCAT , WADA , AND OTHERS .
• D I S T INGU I SHED D I S TR I BUTED S Y S TEMS ENG INEER
• DEVE LOPED THE S ECUR I T Y I N FORMAT ION EXCHANGE ( S I E ) –
R EA L - T IME DATA COL L ECT ION AND D I S TR I BUT ION IN FRASTRUCTURE
• PRESENTS AT S ECUR I T Y CONFERENCES ABOUT DDOS , MANAGES S INKHOLES , EVANGEL I Z E S PAS S I VE DNS
3
AGENDA
● INTRODUCTIONTOPIVOTINGWITHPASSIVEDNS&WHOIS
● THREATCONNECT’SINTEGRATION● USINGTHEFARSIGHTDNSDBINTEGRATIONINTHREATCONNECT
TOENHANCETHEGRIZZLYSTEPPEJARANDMAPOUTANADVERSARY’SINFRASTRUCTURE
4
DNS RECURSION / PASSIVE DNS
DNS Servers
www.example.com
93.184.216.34
Devices & Users
Registry Servers
Recursive Server
Root Servers
Cache
Farsight Security
5
DNS DATA WORLDWIDE - OUR SENSOR ARRAY
GLOBAL COVERAGE
DIVERSE SOURCES • Consumer • Government • Education • Enterprise • ISPs & Mobile • Social media
REAL-TIME & HISTORIC • 200k+ Resolutions / sec • 5+ TB / Day • 100+ Billion DNS Resolutions
6
TWO WAYS TO EMPOWER SECURITY OPERATIONS
I. SECURITY INFORMATION EXCHANGE • Proactivelydetectandblock• EmpoweryourFirewall&MailServers• 200,000+observations/second• Compliantwithleadingprotocolsforeasyingestion
II. DNS INTELLIGENCE DATABASE – DNSDB • World’slargesthistoricdatabaseofDNSresolutionandallrecords
• EmpoweryourSIEMandThreatPlatform• Started2007,rebuiltin2010,updatedinreal-time,100+Billionresolutionsrecorded
• APIandOn-PremSolution
SIE (REAL-TIME Streaming)
DNSDB (HISTORIC)
7
THREATCONNECTANDDNSDB:DNSASAMAP
§ DNSISUSEDEVERYWHERE§ Desktop,Mobile,Laptops,Servers,Sites
§ MAPEXISTINGINFRASTRUCTUREBASEDONOBSERVATIONS§ Naturallyavoidprivateinformation(weavoidknowingwhoqueriedwhat)
§ OBSERVATIONS&FACTSàCONTEXTFORINVESTIGATIONS
àENHANCETHREATINTELLIGENCE
§ MISCREANTSNEEDDNSFORTHEIRINFRASTRUCTURE,TOO
DNSDataCan’tbefaked
8
PIVOTING:
UNDERSTANDING PIVOTING WITH PASSIVE DNS AND WHOIS
9
PIVOTING: GUILT BY ASSOCIATION – PASSIVE DNS
KNOWN BAD HOSTNAME OR IP ADDRESS
WHAT OTHER HOST NAMES AT THE SAME ADDRESS AT THE SAME TIME?
KNOWN BAD DOMAIN
WHAT OTHER HOSTS ARE IN THE DOMAIN?
WHAT OTHER DOMAINS ARE SERVED BY THE SAME NAMESERVER?
WHAT OTHER INFRASTRUCTURE IS HOSTED IN THE SURROUNDING NETWORK BLOCK?
10
PIVOTING: GUILT BY ASSOCIATION – PASSIVE DNS
SIMILAR NAMING PATTERNS
FAST-FLUX BOTNET INFRASTRUCTURE
UNCOMMON NAMES USED IN MANY DOMAINS
DOMAIN GENERATION ALGORITHMS
SIMILAR LOOKING ANSWERS SOA RECORDS?
TXT RECORDS? SPF RECORDS?
11
PIVOTING PASSIVE DNS: REDUCING FALSE POSITIVES
INDICATOR FOR A HOSTNAME OR IP ADDRESS
KNOWN REVERSE PROXY SERVICE? KNOWN SINKHOLE? HOSTING SERVICE? DOMAIN PARKING SERVICE? DYNAMIC DNS SERVICE? WIDELY USED CDN INFRASTRUCTURE?
Example: “ICE takedown mooo.com”
12
PIVOTING WHOIS: COMMON REGISTRATION FINGERPRINTS
KNOWN BAD DOMAIN REGISTRATION EMAIL USED ELSEWHERE? SAME OR SIMILAR REGISTRATION NAME USED ON OTHER DOMAINS? SAME OR SIMILAR POSTAL OR PHONE INFORMATION USED ON OTHER DOMAINS?
Doesn’t matter if registration is real or faked – just similar. One known bad domain could lead to more. Similar registration information (and hosting patterns) helps confirm two domains could be managed by same actor.
Check out https://www.domaintools.com/partners/integrations/threatconnect/
13
PIVOTING:
PIVOTING EXAMPLES
14
PIVOTING EXAMPLE: REGISTRAR HACK
;; first seen: 2011-09-04 20:17:34 -0000 ;; last seen: 2011-09-04 21:40:24 -0000 betfair.com. IN NS ns1.yumurtakabugu.com. betfair.com. IN NS ns2.yumurtakabugu.com.
acer.com. betfair.com. dell.co.kr. hsbc.co.kr. nationalgeographic.com. ups.com. vodafone.com. ...more...
15
PIVOTING EXAMPLE: SPAM -> CANADIAN PHARMA DOMAINS
healthtr.com medicacpr.ru medicannk.com mediccker.ru mediccklr.ru medicehok.com medicelcr.ru medicellk.com medicemur.ru medicheek.com medichmar.ru …etc…
medicostb.com HOSTED ON SAME IPS
16
PIVOTING EXAMPLE: ZEUS DOMAINS
xsnnsynlsnfhklun.com
xqoyjkmnrhqmxpty.net outqrpskulndkxne.info xsnnsynlsnfhklun.com aonqrnernvqret.net gkoijyqmyjklqpv.info llnepksnvvqlzzrs.info krirfqkmckkssgol.biz www.jfjpdsqirhsypqnn.org jfjpdsqirhsypqnn.org vroxnpojiomtenlq.biz uitppyflfsnkpxid.info jwdwlqqqqiwhxkt.com ryqqfjhctkptirn.biz pcrslsynooqorrwj.biz rjtsnpveowswsglp.com cqojeuyikosljoqw.biz ttfhvhmusnkkov.net
same IP
17
PIVOTING EXAMPLE: SEARCH “Z-BOT FAST-FLUX”
lindabstewart.com (ß zeus-tracker)
arexan.at astro-travels.net boombom.at complianceanyone.ru csh0p.cc cyajon.at
dumpstreet.vc gmumwmiwoqegwiwo.org jvcc.su lictheshallunitedenteit.ru magasoldator.ru
missionsthhartmanencopa.com monpasevashumamin.cm mrbin.cc myprivatepicts.com popeyeds.cc
robinson98.com royaldumps.tw ruise.ru sdn-comm.at termlawfulfeessoft.ru try2swipe.me try2swipe.ws
unclesam.ws uoeeukyackaagagg.org uvvv.ru verifyandmeet.com vvservop.at ycorporation.ru
anymansjentnrwe.net bigbropos.top ekrosha.com kqwenhanebnbama.net. kronashjeeeaqqforny.com
lkdmsmnfjznfreqas.com mcduck.org naheqbhbzgbnqbza.net njandhasdnppp.com
immortald.ru. marcusd.ru oqwnqwnfauwneebd.net paysell.bz prvtzone.ws ronymanyantiynewww.net
try2swipe.ws verified.vc wjenqianywenet.net
Combinations of IP hosting patterns, expanding into subnets, nameservers, other information Fast-flux infrastructure has been resilient through multiple takedowns
2015
2016
2017 / today
18
HOW FARSIGHT DATA IS USED
FARSIGHT SECURITY
THR EA T P L A T FORMS
F I R EWA L L S
MA I L S E R V E R S
O R CH E S T RA T I ON / AU TOMAT I ON
BU L K QU E R I E S
MACH I N E L E A RN I NG
S I EMS
19
USINGFARSIGHTDNSDBINTEGRATIONINTHREATCONNECT
20
USINGFARSIGHTDNSDBINTEGRATIONINTHREATCONNECT
21
THEGRIZZLYSTEPPEJAR
22
GRIZZLYSTEPPEJAR-WHATISIT?
JointAnalysisReport
• December29,2016
• Informationfromseveralagencies
• Containedgeneralinformationonhackingand911IOCsforseveralRUthreatsandmalware
• Recommendedmitigations
• “ThreatsfromIOCs”
Strengths
• LotsofIOCs
• Responsive
• VarietyofThreats
Weaknesses
• LotsofIOCs
• Nocontext
• LotsofTOR• Notreallythreat
intelligence
23 23
GrizzlySteppeJAR-Indicators?
GRIZZLYSTEPPEJAR–INDICATORS?
24 24
GrizzlySteppeJAR-Indicators?
GRIZZLYSTEPPEJAR–INDICATORS?
25 25
GrizzlySteppeJAR-Indicators?
GRIZZLYSTEPPEJAR–INDICATORS?
26
GRIZZLY STEPPE JAR - RECEPTION?NOTGOOD
26
27
USINGUSGGIVESYOULEMONS
Don’tdespairordiscount
• Findthreadsyoucanpullon• Workbackwardstofindthe
intelligenceapplicabletotheindicators
• Whenpossibleattributeindicatorstoanactor
• Enrichtheindicatorsandpivotfromthemtofindasmuchasyoucan
• Continuetracking
OurProcess
• UseThreatConnecttofindoutwhat’salreadyknownaboutindicatorsandwhatthey’reassociatedwith
• UseFarsightandWHOISintegrationstoidentifyregistrationandhostingconsistenciestoknowntactics
• UsepassiveDNStoidentifydomainco-locations
• MonitorIPs,registrantemailaddresses,andboutiquenameservers
27
28
USINGTHREATCONNECTANALYZE
29
USINGTHREATCONNECTANALYZE
30
APATTERN?!??!?!
30
31
FINDINGTHETHREADTOPULL
FocusingResearch
• Can’tmakeananalyticleap
• Reviewedthose80IPsü Categories
- IPsalreadyassociatedwithFANCYBEAR
- IPsthathosteddomainsalreadyassociatedwithFANCYBEAR
- IPsthathosteddomainswithregistrationconsistenciestopreviousFANCYBEARdomains
- Newindicatorsweidentifiedfrompivotingoffoffreshinformation
31
32
FANCYBEAR-THEYHAVEN’TSTOPPEDSOWHYSHOULDWE?
ClintonCampaign
• ShortenedURLs
DNC
• misdepatrment[.]com
DCCC
• actblues[.]com
WADA/CAS
• wada-awa[.]org
• wada-arna[.]org
• tas-cass[.]org
Mouthpieces
• Guccifer2.0
• DCLeaks
• Anpoland
• FancyBearsHackTeam32
33
34
35
36
37
38
39
FINDINGS
39
AssociationstoFancyBear
• 43offirst80IPs
AdditionalIndicators
• 68domains• 17IPaddresses
ApplyingIntelligence
• Nocontext>associations>additionalintel
40
MONITORINGNAMESERVERSANDTACTICS
• FANCYBEAR
40
Newnameservers
• Nemohosts[.]com
• Bacloud[.]com
• Njal[.]la
AdditionalTactics
• Registrationtactics
InfrastructureNecessitatesInteraction
• Procurement• Expenses
41
CONCLUSION
• FANCYBEAR
41
Gainadditionalinsight
• Breadthandsophisticationofcampaign• Otherindicators
Increasesthreatactors’cost
• Themoretheyhavetoredotheirinfrastructure,thebetter
Sharingenablesorganizationswithinandoutsideofyoursector
• Actorsusesimilarinfrastructureandtoolsagainstavarietyoftargets
42
Q&A
THANK YOU FOR YOUR ATTENTION.
Q U E S T I O N S ?
ThreatConnect.com Farsightsecurity.com
43
© Copyright 2017 Farsight Security, Inc. All Right Reserved. © Copyright 2017 Farsight Security, Inc. All Right Reserved.
ThreatConnectandFarsightResearchersTackleaGrizzly(Steppe)
Analysis and Update on JAR Report