Prevalence of Malicious DNS and Proposed Solutions
Transcript of Prevalence of Malicious DNS and Proposed Solutions
![Page 1: Prevalence of Malicious DNS and Proposed Solutions](https://reader033.fdocuments.us/reader033/viewer/2022061102/629c49742172e9624c0d66c5/html5/thumbnails/1.jpg)
Prevalence of Malicious DNS and Proposed SolutionsChristopher Davis and Zachary Hanif
Sunday, March 11, 12
![Page 2: Prevalence of Malicious DNS and Proposed Solutions](https://reader033.fdocuments.us/reader033/viewer/2022061102/629c49742172e9624c0d66c5/html5/thumbnails/2.jpg)
IntroductionChris Davis
Emerging Threats & University of Toronto Fellow
IPTrust, DefIntel, Damballa...
Mariposa, Conficker, Storm...
Sunday, March 11, 12
![Page 3: Prevalence of Malicious DNS and Proposed Solutions](https://reader033.fdocuments.us/reader033/viewer/2022061102/629c49742172e9624c0d66c5/html5/thumbnails/3.jpg)
IntroductionZach Hanif
IPTrust, Georgia Tech, GTRI
Mariposa, Zeus, many other APTs
Machine Learning, Big Data (Hadoop, Cassandra...)
Many additional Botnet takedowns and sinkholes
Sunday, March 11, 12
![Page 4: Prevalence of Malicious DNS and Proposed Solutions](https://reader033.fdocuments.us/reader033/viewer/2022061102/629c49742172e9624c0d66c5/html5/thumbnails/4.jpg)
What Are We Doing Now
60-80k malware samples processed daily
5 separate malware analysis systems
10’s of thousands of bad domains per day
Tracking > 20k active Botnets
Sunday, March 11, 12
![Page 5: Prevalence of Malicious DNS and Proposed Solutions](https://reader033.fdocuments.us/reader033/viewer/2022061102/629c49742172e9624c0d66c5/html5/thumbnails/5.jpg)
The Problem
Malware is custom designed to evade detection, stay resident, and display coordinated action
Anti-virus solutions are generally ineffective
“...8 out of 10 pieces of malicious code are going to get in.” -Graham Ingram, AUSCERT
“Every second, 14 adults become the victim of cyber crime.” -Symantec via theregister.co.uk
Sunday, March 11, 12
![Page 6: Prevalence of Malicious DNS and Proposed Solutions](https://reader033.fdocuments.us/reader033/viewer/2022061102/629c49742172e9624c0d66c5/html5/thumbnails/6.jpg)
Scope of the ProblemMajority of banks
Fortune500
Many international government departments
Airlines
Hotel chains
Oil and gas companies
Utilities and infrastructure
Sunday, March 11, 12
![Page 7: Prevalence of Malicious DNS and Proposed Solutions](https://reader033.fdocuments.us/reader033/viewer/2022061102/629c49742172e9624c0d66c5/html5/thumbnails/7.jpg)
High Profile Botnet Compromises
Sony
RSA
Nasdaq
Dalai Lama
Mitsubishi Heavy Industries
UN, International Olympic Committee
Sunday, March 11, 12
![Page 8: Prevalence of Malicious DNS and Proposed Solutions](https://reader033.fdocuments.us/reader033/viewer/2022061102/629c49742172e9624c0d66c5/html5/thumbnails/8.jpg)
Current ResponseAnti-virus
IDS/IPS - not designed to detect compromises
Court ordered domain takedowns - too many bad domains, and other issues.
See “Guidance for preparing domain name orders, seizures, and take downs” - Dave Piscitello (ICANN)
NXD mailing list - good but small scale
Sunday, March 11, 12
![Page 9: Prevalence of Malicious DNS and Proposed Solutions](https://reader033.fdocuments.us/reader033/viewer/2022061102/629c49742172e9624c0d66c5/html5/thumbnails/9.jpg)
Proposed Solution
100% public benefit non-profit - Malicious domain clearing house / registrar
ICANN backed
Emerging Threats sponsored
Community support (ISC, Dagon, Wesson, etc...)
Sunday, March 11, 12
![Page 10: Prevalence of Malicious DNS and Proposed Solutions](https://reader033.fdocuments.us/reader033/viewer/2022061102/629c49742172e9624c0d66c5/html5/thumbnails/10.jpg)
Goals/MissionAnalyze immense amounts of malware to identify malicious domains
Identify, analyze, validate, confirm
Sinkhole C2s & identify victims
Notify victims & provide free remediation assistance
Remove, in a coordinated fashion, malicious domains from registrars
Sunday, March 11, 12
![Page 11: Prevalence of Malicious DNS and Proposed Solutions](https://reader033.fdocuments.us/reader033/viewer/2022061102/629c49742172e9624c0d66c5/html5/thumbnails/11.jpg)
Clearing House Offerings
Daily bad domain feed (zero error)
EPP/RPP bad domain transfers/sinkholing
Bad actor DB with credential and login data for LEO
Peer reviewed analysis
Move the bad traffic off your pipe
Sunday, March 11, 12
![Page 12: Prevalence of Malicious DNS and Proposed Solutions](https://reader033.fdocuments.us/reader033/viewer/2022061102/629c49742172e9624c0d66c5/html5/thumbnails/12.jpg)
Technical ChallengesIdentify malicious domains with zero error
C2 / Compromised domain
Bad domain transfer mechanism and fees
Sinkhole robustness and victim identification
Victim notification and remediation
Must maintain victim privacy while being able to work towards resolution
Sunday, March 11, 12
![Page 13: Prevalence of Malicious DNS and Proposed Solutions](https://reader033.fdocuments.us/reader033/viewer/2022061102/629c49742172e9624c0d66c5/html5/thumbnails/13.jpg)
Social Challenges
Registrar/registry buy-in
Simply cannot work without this support
Requires substantial support from the community
Needs ISPs, NGOs, CERTs, etc for remediation and customer notification
Large industry partners (Google, Microsoft, etc)
Sunday, March 11, 12
![Page 14: Prevalence of Malicious DNS and Proposed Solutions](https://reader033.fdocuments.us/reader033/viewer/2022061102/629c49742172e9624c0d66c5/html5/thumbnails/14.jpg)
First Steps
Provide a per-registrar feed of C2 domains and evidence of their maliciousness
Support the Snort/Suricata projects through custom rulesets
New TLD monitoring
Easier to prevent an issue then root it out after the fact
Sunday, March 11, 12
![Page 15: Prevalence of Malicious DNS and Proposed Solutions](https://reader033.fdocuments.us/reader033/viewer/2022061102/629c49742172e9624c0d66c5/html5/thumbnails/15.jpg)
Q&A
Sunday, March 11, 12