Passive-DNS的多元解决方案-Merike-Kaeo-Farsight

MultivariateSolutionstoPassiveDNSChallengesCTOFarsightSecuritymerike@fsi.ioMerikeKaeoAgenda•TypicalPassiveDNSUse•PassiveDNSChallenges•MultivariateSolutions•UnderstandingWHOISandGeolocation•MaliciousCampaignsduringPublicEventsTYPICALPASSIVEDNSUSESHowPassiveDNSNormallyWorks•Startwithaknown/observedbaddatapoint•Domainname•Nameserver•IPaddress/CIDR•ASN•UsePassiveDNStofindotherIPsordomainnamesthatsharethesameresources•Leveragereputationlocalitybutcarefullyreviewwhatyou’vefoundUNIvariateApproaches•Useasinglepointofcommonalityasawaytoidentifyrelateddomains•SAMEexactIP?•SAMEexactnameserver?•SAMEexactdomainnameusedovertime(ifyouareinterestedinthesetofIPsthatanamehasbeenusing)•Eachreliesonasingleattribute,exactlymatchedSimplepDNSWorksWellWhen….•ManyrelateddomainscoexistonasingleIP(orsmallCIDRblock),withnoinnocent3rdpartydomains•Manyrelateddomainsusethesamesetofdedicatednameservers,withnoinnocent3rdpartydomains•ThemalicioususerisapparentlystubbornlyfondofafavoritedomainPASSIVEDNSCHALLENGESWhenSimplepDNSDoesNOTWork•ZEROinterrelateddatapoints–e.g.“lonewolf”domainnames,IPaddresses,nameservers,etc.•Toomanyrelatedresources•Maliciousresourcesarecomingledwithinnocent3rdpartyresourcesLoneWolfScenarioThecybercriminalreusesNOTHINGacrosssites•EveryIPaddressusedtosendSPAMorhostcontentistotallyunrelatedtoanyotherIpsthecriminaluses•Everydomainnameisregisteredusing:•Adiverseassortmentofregistrars,oneortwoatatime•Uniquenameservers(installedandoperatedonuniqueIPs)•Unique/fictitious(orconcealed)POCdetails•Unique(oranonymous)paymentdetailsPoorlyDocumentedResourceAssignments•Example#1:ProviderfailstodocumentIPreassignments/reallocationsinIPWHOISorrWHOIS,andanabuserrepeatedlymoves(orismoved)aroundasinglelargenetworkblock,oramongmultiplesmallerblocks.•Example#2:WHOISPOCdetailsareconcealedbyaWHOISproxy/privacyserviceOvercomingObfuscation•Lookforothercharacteristicsthatmaynotbeobfuscated,orseektostripawayanonymity•Examples•Ifnameserversservicealargenumberofdomains,andthusarenotausefulattributetotrytofollow,lookattheIPaddress(es)thebaddomainishostedon,instead.•Ifadomainisdemonstrablyengagedinphishingorotherclearlyillegalbehavior,someprivacy/proxyprotectionserviceshavetermsofservicewhichallowtheprovidertounilaterallystripprivacyprotections.OvercomingReverseProxies•WithReverseProxies,everythingseemsto“liveonthereverseproxy’sIPaddresses”•Carefullyscrutinizenon-A/non-AAAADNSrecordsthatmaybepresent(e.g.MX,TXT,etc)•Reverseproxyoperatorsarealsopotentiallyaterrifictargetbylawenforcement•EncodedURLs,uniquetoeachspecificrecipient•BecauseeachURLisuniquetoeachrecipient,visitingtheURL(typicallytoinvestigatethesitebeingspamvertised)means:•Confirmingyou'veopenedthemessageandclickedthrough(establishingapotentialargumentthatyou'veopted-in)•Mayresultinyouusing-upaURLcodedforone-time-use(trythesameURLa2ndor3rdtime?Itmaygonowhere)•ForwardingsanitizedspamplesincomplaintsmayyieldURLsthatsimplydon'twork,orwhichworkmisleadingly.•Forwardingrawspamplesincomplaintsoutsyourspamcollectioninfrastructureandmayresultinlistwashing.”PerformanceMarketingURLsMULTIVARIATESOLUTIONSPointsInAnn-DimensionalSpace•Inamultivariateapproachwelookatmorethanonemeasurementatthesametime•Thisallows“interactions”tobeaccountedfor•xbyitself?okay•ybyitself?okay•xandycombinedtogether?DoesNOTwork!•NOTcombiningmultipleattributesintoasinglescore,comparedagainstathreshold(SPamAssassinstyle)•NOTjustsuccessiveapplicationofindependentunivariatefilters,eitherASimpleTwo-DNormalDistribution:Multivariate_normal_sample.svgTheDataWeHave•CurrentlypassiveDNScapturesdataaboutthreemaintypesofDNS-relatedentities:•Names•IPs•NameServers•Noneofthatisbeautifulcontinuousdata•Ifyouattempttovisualizeit,itwillNOTlookliketheprettygraphontheprecedingpageStatisticaloptionsfornominaldataarelimited:youcandocrosstabs,but(a)that'snotverystatisticallysexy,and(b)interpretationbecomeshardasthetablesizeincreasesAugmentingClassispDNS•CombinepassiveDNSdatawithothernon-DNSdatatogo“multivariate”•Non-DNSdatacouldbepre-existingdatasuchasdomainWHOISorIPWHOISdata•CollectnewdatatoaugmentpassiveDNSdataset(whereactivescanningisallowedbylawandbyyournetworktermsofservice)•Forexample,fingerprint/scanhostswithNMAPorasimilarscanningtooltoseewhatpatternsofports(ifany)areopenonarangeofIPaddressesUNDERSTANDINGWHOISandGEOLOCATIONRegisteringaDomainName-WHOIS•Createanewdomainname•Specifythedomainyouwanttoregister•Provide(supposedlyaccurate)pointofcontact(POC)details•DecideifyouwanttohavethosePOCdetails“unlisted”throughuseofaprivacy/proxyregistrationservice•DefinetheauthoritativenameserversthatknowhowtomapyourdomainstotheIPaddress(es)ofyourserver•Payanannualfeetotheregistrar•POCinformationandrelateddetailsaboutmostdomainsgetaddedtoanonlinedatabase-WHOISWHOISandRealWorldIdentities•Cluestoregistrant“realworld”identityinWHOIS•Theirname(butclaimednamemaybebogus,orsomeoneelse’snameusedwithoutauthorization)•Astreetaddress(canbea3rdpartymaildrop,incomplete,fictitious,etc)•Aphonenumber(maybeaprepaid“burner”phone)•Anemailaddre