1

© Copyright 2017 Farsight Security, Inc. All Right Reserved. © Copyright 2017 Farsight Security, Inc. All Right Reserved.

ThreatConnectandFarsightResearchersTackleaGrizzly(Steppe)

Analysis and Update on JAR Report

2

INTRODUCTION

KYLEEHMKETHREATCONNECT

ERICZIEGASTFARSIGHTSECURITY

•  THREAT INTE L L IGENCE R E S EARCHER

•  RECENT LY WORK ING ON RE S EARCH INTO RUSS I AN E L ECT ION

ACT I V I T Y AND TARGETED E F FORTS AGA INST B E L L INGCAT , WADA , AND OTHERS .

•  D I S T INGU I SHED D I S TR I BUTED S Y S TEMS ENG INEER

•  DEVE LOPED THE S ECUR I T Y I N FORMAT ION EXCHANGE ( S I E ) –

R EA L - T IME DATA COL L ECT ION AND D I S TR I BUT ION IN FRASTRUCTURE

•  PRESENTS AT S ECUR I T Y CONFERENCES ABOUT DDOS , MANAGES S INKHOLES , EVANGEL I Z E S PAS S I VE DNS

3

AGENDA

●  INTRODUCTIONTOPIVOTINGWITHPASSIVEDNS&WHOIS

●  THREATCONNECT’SINTEGRATION●  USINGTHEFARSIGHTDNSDBINTEGRATIONINTHREATCONNECT

TOENHANCETHEGRIZZLYSTEPPEJARANDMAPOUTANADVERSARY’SINFRASTRUCTURE

4

DNS RECURSION / PASSIVE DNS

DNS Servers

www.example.com

93.184.216.34

Devices & Users

Registry Servers

Recursive Server

Root Servers

Cache

Farsight Security

5

DNS DATA WORLDWIDE - OUR SENSOR ARRAY

GLOBAL COVERAGE

DIVERSE SOURCES • Consumer • Government • Education • Enterprise •  ISPs & Mobile • Social media

REAL-TIME & HISTORIC •  200k+ Resolutions / sec •  5+ TB / Day •  100+ Billion DNS Resolutions

6

TWO WAYS TO EMPOWER SECURITY OPERATIONS

I. SECURITY INFORMATION EXCHANGE •  Proactivelydetectandblock•  EmpoweryourFirewall&MailServers•  200,000+observations/second•  Compliantwithleadingprotocolsforeasyingestion

II. DNS INTELLIGENCE DATABASE – DNSDB • World’slargesthistoricdatabaseofDNSresolutionandallrecords

•  EmpoweryourSIEMandThreatPlatform•  Started2007,rebuiltin2010,updatedinreal-time,100+Billionresolutionsrecorded

• APIandOn-PremSolution

SIE (REAL-TIME Streaming)

DNSDB (HISTORIC)

7

THREATCONNECTANDDNSDB:DNSASAMAP

§  DNSISUSEDEVERYWHERE§  Desktop,Mobile,Laptops,Servers,Sites

§  MAPEXISTINGINFRASTRUCTUREBASEDONOBSERVATIONS§  Naturallyavoidprivateinformation(weavoidknowingwhoqueriedwhat)

§  OBSERVATIONS&FACTSàCONTEXTFORINVESTIGATIONS

àENHANCETHREATINTELLIGENCE

§  MISCREANTSNEEDDNSFORTHEIRINFRASTRUCTURE,TOO

DNSDataCan’tbefaked

8

PIVOTING:

UNDERSTANDING PIVOTING WITH PASSIVE DNS AND WHOIS

9

PIVOTING: GUILT BY ASSOCIATION – PASSIVE DNS

KNOWN BAD HOSTNAME OR IP ADDRESS

WHAT OTHER HOST NAMES AT THE SAME ADDRESS AT THE SAME TIME?

KNOWN BAD DOMAIN

WHAT OTHER HOSTS ARE IN THE DOMAIN?

WHAT OTHER DOMAINS ARE SERVED BY THE SAME NAMESERVER?

WHAT OTHER INFRASTRUCTURE IS HOSTED IN THE SURROUNDING NETWORK BLOCK?

10

PIVOTING: GUILT BY ASSOCIATION – PASSIVE DNS

SIMILAR NAMING PATTERNS

FAST-FLUX BOTNET INFRASTRUCTURE

UNCOMMON NAMES USED IN MANY DOMAINS

DOMAIN GENERATION ALGORITHMS

SIMILAR LOOKING ANSWERS SOA RECORDS?

TXT RECORDS? SPF RECORDS?

11

PIVOTING PASSIVE DNS: REDUCING FALSE POSITIVES

INDICATOR FOR A HOSTNAME OR IP ADDRESS

KNOWN REVERSE PROXY SERVICE? KNOWN SINKHOLE? HOSTING SERVICE? DOMAIN PARKING SERVICE? DYNAMIC DNS SERVICE? WIDELY USED CDN INFRASTRUCTURE?

Example: “ICE takedown mooo.com”

12

PIVOTING WHOIS: COMMON REGISTRATION FINGERPRINTS

KNOWN BAD DOMAIN REGISTRATION EMAIL USED ELSEWHERE? SAME OR SIMILAR REGISTRATION NAME USED ON OTHER DOMAINS? SAME OR SIMILAR POSTAL OR PHONE INFORMATION USED ON OTHER DOMAINS?

Doesn’t matter if registration is real or faked – just similar. One known bad domain could lead to more. Similar registration information (and hosting patterns) helps confirm two domains could be managed by same actor.

Check out https://www.domaintools.com/partners/integrations/threatconnect/

13

PIVOTING:

PIVOTING EXAMPLES

14

PIVOTING EXAMPLE: REGISTRAR HACK

;; first seen: 2011-09-04 20:17:34 -0000 ;; last seen: 2011-09-04 21:40:24 -0000 betfair.com. IN NS ns1.yumurtakabugu.com. betfair.com. IN NS ns2.yumurtakabugu.com.

acer.com. betfair.com. dell.co.kr. hsbc.co.kr. nationalgeographic.com. ups.com. vodafone.com. ...more...

15

PIVOTING EXAMPLE: SPAM -> CANADIAN PHARMA DOMAINS

healthtr.com medicacpr.ru medicannk.com mediccker.ru mediccklr.ru medicehok.com medicelcr.ru medicellk.com medicemur.ru medicheek.com medichmar.ru …etc…

medicostb.com HOSTED ON SAME IPS

16

PIVOTING EXAMPLE: ZEUS DOMAINS

xsnnsynlsnfhklun.com

xqoyjkmnrhqmxpty.net outqrpskulndkxne.info xsnnsynlsnfhklun.com aonqrnernvqret.net gkoijyqmyjklqpv.info llnepksnvvqlzzrs.info krirfqkmckkssgol.biz www.jfjpdsqirhsypqnn.org jfjpdsqirhsypqnn.org vroxnpojiomtenlq.biz uitppyflfsnkpxid.info jwdwlqqqqiwhxkt.com ryqqfjhctkptirn.biz pcrslsynooqorrwj.biz rjtsnpveowswsglp.com cqojeuyikosljoqw.biz ttfhvhmusnkkov.net

same IP

17

PIVOTING EXAMPLE: SEARCH “Z-BOT FAST-FLUX”

lindabstewart.com (ß zeus-tracker)

arexan.at astro-travels.net boombom.at complianceanyone.ru csh0p.cc cyajon.at

dumpstreet.vc gmumwmiwoqegwiwo.org jvcc.su lictheshallunitedenteit.ru magasoldator.ru

missionsthhartmanencopa.com monpasevashumamin.cm mrbin.cc myprivatepicts.com popeyeds.cc

robinson98.com royaldumps.tw ruise.ru sdn-comm.at termlawfulfeessoft.ru try2swipe.me try2swipe.ws

unclesam.ws uoeeukyackaagagg.org uvvv.ru verifyandmeet.com vvservop.at ycorporation.ru

anymansjentnrwe.net bigbropos.top ekrosha.com kqwenhanebnbama.net. kronashjeeeaqqforny.com

lkdmsmnfjznfreqas.com mcduck.org naheqbhbzgbnqbza.net njandhasdnppp.com

immortald.ru. marcusd.ru oqwnqwnfauwneebd.net paysell.bz prvtzone.ws ronymanyantiynewww.net

try2swipe.ws verified.vc wjenqianywenet.net

Combinations of IP hosting patterns, expanding into subnets, nameservers, other information Fast-flux infrastructure has been resilient through multiple takedowns

2015

2016

2017 / today

18

HOW FARSIGHT DATA IS USED

FARSIGHT SECURITY

THR EA T P L A T FORMS

F I R EWA L L S

MA I L S E R V E R S

O R CH E S T RA T I ON / AU TOMAT I ON

BU L K QU E R I E S

MACH I N E L E A RN I NG

S I EMS

19

USINGFARSIGHTDNSDBINTEGRATIONINTHREATCONNECT

20

USINGFARSIGHTDNSDBINTEGRATIONINTHREATCONNECT

21

THEGRIZZLYSTEPPEJAR

22

GRIZZLYSTEPPEJAR-WHATISIT?

JointAnalysisReport

•  December29,2016

•  Informationfromseveralagencies

•  Containedgeneralinformationonhackingand911IOCsforseveralRUthreatsandmalware

•  Recommendedmitigations

•  “ThreatsfromIOCs”

Strengths

•  LotsofIOCs

•  Responsive

•  VarietyofThreats

Weaknesses

•  LotsofIOCs

•  Nocontext

•  LotsofTOR•  Notreallythreat

intelligence

23 23

GrizzlySteppeJAR-Indicators?

GRIZZLYSTEPPEJAR–INDICATORS?

24 24

GrizzlySteppeJAR-Indicators?

GRIZZLYSTEPPEJAR–INDICATORS?

25 25

GrizzlySteppeJAR-Indicators?

GRIZZLYSTEPPEJAR–INDICATORS?

26

GRIZZLY STEPPE JAR - RECEPTION?NOTGOOD

26

27

USINGUSGGIVESYOULEMONS

Don’tdespairordiscount

•  Findthreadsyoucanpullon•  Workbackwardstofindthe

intelligenceapplicabletotheindicators

•  Whenpossibleattributeindicatorstoanactor

•  Enrichtheindicatorsandpivotfromthemtofindasmuchasyoucan

•  Continuetracking

OurProcess

•  UseThreatConnecttofindoutwhat’salreadyknownaboutindicatorsandwhatthey’reassociatedwith

•  UseFarsightandWHOISintegrationstoidentifyregistrationandhostingconsistenciestoknowntactics

•  UsepassiveDNStoidentifydomainco-locations

•  MonitorIPs,registrantemailaddresses,andboutiquenameservers

27

28

USINGTHREATCONNECTANALYZE

29

USINGTHREATCONNECTANALYZE

30

APATTERN?!??!?!

30

31

FINDINGTHETHREADTOPULL

FocusingResearch

•  Can’tmakeananalyticleap

•  Reviewedthose80IPsü  Categories

-  IPsalreadyassociatedwithFANCYBEAR

-  IPsthathosteddomainsalreadyassociatedwithFANCYBEAR

-  IPsthathosteddomainswithregistrationconsistenciestopreviousFANCYBEARdomains

-  Newindicatorsweidentifiedfrompivotingoffoffreshinformation

31

32

FANCYBEAR-THEYHAVEN’TSTOPPEDSOWHYSHOULDWE?

ClintonCampaign

•  ShortenedURLs

DNC

•  misdepatrment[.]com

DCCC

•  actblues[.]com

WADA/CAS

•  wada-awa[.]org

•  wada-arna[.]org

•  tas-cass[.]org

Mouthpieces

•  Guccifer2.0

•  DCLeaks

•  Anpoland

•  FancyBearsHackTeam32

33

34

35

36

37

38

39

FINDINGS

39

AssociationstoFancyBear

•  43offirst80IPs

AdditionalIndicators

•  68domains•  17IPaddresses

ApplyingIntelligence

•  Nocontext>associations>additionalintel

40

MONITORINGNAMESERVERSANDTACTICS

• FANCYBEAR

40

Newnameservers

•  Nemohosts[.]com

•  Bacloud[.]com

•  Njal[.]la

AdditionalTactics

•  Registrationtactics

InfrastructureNecessitatesInteraction

•  Procurement•  Expenses

41

CONCLUSION

• FANCYBEAR

41

Gainadditionalinsight

•  Breadthandsophisticationofcampaign•  Otherindicators

Increasesthreatactors’cost

•  Themoretheyhavetoredotheirinfrastructure,thebetter

Sharingenablesorganizationswithinandoutsideofyoursector

•  Actorsusesimilarinfrastructureandtoolsagainstavarietyoftargets

42

Q&A

THANK YOU FOR YOUR ATTENTION.

Q U E S T I O N S ?

ThreatConnect.com Farsightsecurity.com

43

© Copyright 2017 Farsight Security, Inc. All Right Reserved. © Copyright 2017 Farsight Security, Inc. All Right Reserved.

ThreatConnectandFarsightResearchersTackleaGrizzly(Steppe)

Analysis and Update on JAR Report