flocon 2018
play

FloCon 2018 Tucson AZ Analysis of DNS Traffic on the Network EDGE, - PowerPoint PPT Presentation

Mar 26, 2023 •242 likes •364 views

x January 2018 FloCon 2018 Tucson AZ Analysis of DNS Traffic on the Network EDGE, and In Motion. Fred Stringer 1 Key M Messages es Distributed Analysis (at the collection points) enables scale, flexibility and timely indicators.

  1. x January 2018 FloCon 2018 Tucson AZ Analysis of DNS Traffic on the Network EDGE, and In Motion. Fred Stringer 1

  2. Key M Messages es  Distributed Analysis (at the collection points) enables scale, flexibility and timely indicators.  Streaming analysis enables near real time detection from multiple algorithms with one packet capture and parsing.  Machine learning algorithms with data in motion are accurate and effective.  More accuracy is achieved with some analysis work, managing block/ignore lists.  COTS commodity hardware is capable of handling respectable volume of traffic ~4Gb/s 2 FMS 1/2018

  3. Two wo M More O Observations  Analysis of DNS activity provides insights into security relevant activity that you may not have anticipated.  Traffic analysis provides indicators not seen anywhere else.  This is Flocon , you all knew that. 3 FMS 1/2018

  4. Threat Analytics Platform 1.5 2 2 Remediation 5 8 17 20 coordination 2842 Reporting & Analysis Forensic Systems GNOC Analysis Alerts Storage, Data Data Collector Transport Processing, Acquisition Analysis Reporting Interpretation Analysis & & Response Alerting Processes Central Analysis Platforms Source: AT&T Cyber Security Strategy presentation 4 FMS 1/2018

  5. SOCs Threat Analytics Platform 2.0 Remediation coordination Ops Centers 2 2 5 8 17 20 Forensic Analysis 2842 Reporting & Analysis Systems GNOC Interpretation Alerts & Response DNS Collector 2.0 Storage, Data Processes w/ Streaming Transport Processing, Acquisition Analytics Analysis Reporting Analysis & Alerting Central Analysis Platforms Source: AT&T Cyber Security Strategy presentation 5 FMS 1/2018

  6. Valuable Security Analysis of DNS Activity 1/3  Tunneling and other non-DNS over port 53  Detect compromised hosts potentially exfiltrating data.  DGA Detection  Identify hosts with indications they are participating in a Botnet  Squatting Detection  Identify domains which are impersonating legitimate domains. Often used in phishing attacks.  Outlier Detection and Volumetric Anomaly Detection.  Indicates a pattern change. Typically prompts additional automated correlation and can reinforce (add confidence level) another indicator. Source: AT&T DNS Collector 2.0 Feature Description 6 FMS 1/2018

  7. Valuable Security Analysis of DNS Activity 2/3  DrDos – Distributed Reflective Denial of Service  Identify hosts being DDoS attacked, typically Identifies a spoofed address – entry of which is often traced to misconfiguration.  Detect of open resolvers.  “Dark DNS” - rogue DNS infrastructure  DNS changer and more.  Detection of DNS infrastructure outside of the Internet hierarchy typically used for control of malicious activities.  Indicates hosts communicating have been potentially compromised Source: AT&T DNS Collector 2.0 Feature Description 7 FMS 1/2018

  8. Valuable Security Analysis of DNS Activity 2/3  DNS NXDOMAIN and Subdomain exhaust  DoS attack of the DNS impairing service to all users.  DNS clients often spoofed and/or compromised host.  Newly Observed Domains (NOD)  Useful indicator to correlate with other indicators.  Can give NOD a low reputation score initially  If today’s NOD was and DGA NXDOMAIN yesterday it is strong indication of roving C2 of a DGA Botnet. Source: AT&T DNS Collector 2.0 Feature Description 8 FMS 1/2018

  9. DNS Collector 2.0 - Probe / Collector / Analyzer DNS Analytics running in DNS 2.0 Collector today: Collector 1.0 Functionality 1. Tunneling Normal Answer File Format 2. DGA File Output 3. Volumetric Outlier Anomaly Detection 4. Port 53 Abuse: DNS Malformed and DNS Flags Validation Error Response File File Format Output Malformed File Format File Output Non- DNS File Format Indicators DNS Packet File Output IP Ingest & Parse Address Feature Analytic DGA Filter File Output Interest Lists Extraction Model Tunnel Feature Analytic File Output Filter Extraction Model Volumetric Anomaly Forecasting File Output Sampling Detection Metrics File Output Source: AT&T DNS Collector 2.0 Training presentation 9 FMS 1/2018

  10. Take-Awa Ta ways  Distributed Analysis (at the collection points) enables scale, flexibility and timely indicators.  Real time streaming analysis on the network edge enables detecting multiple indicators simultaneously  Correlating indicators can strengthen the confidence level.  Machine learning algorithms not just for data at rest  COTS commodity hardware is capable of handling respectable volume of traffic ~4Gb/s  DNS Collector 2.0 can run as NFV in a VM at lower DNS traffic volumes.  Analysis of traffic is always interesting, often revealing and effective means of detecting Threat Indicators. 10 FMS 1/2018

  11. AT&T ThreatTraq source: http://techchannel.att.com/threattraq Weekly Cyber Threat Report Tis the Season: Necurs and Scarab, Exim, Firefox and Breached Sites 11 FMS 1/2018

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Network Telescopes: The FloCon Files There are "reseachers" seriously interested in

Network Telescopes: The FloCon Files There are "reseachers" seriously interested in

Flocon Stream of Conciousness Network Telescopes: The FloCon Files There are "reseachers" seriously interested in pieces of operational problems. anomaly detection, early worm detection flow aggregation, line-speed

259 views • 11 slides
1/13/09 FLOCON 2009, Scottsdale, AZ DoD Disclaimer This document was prepared as a service to

1/13/09 FLOCON 2009, Scottsdale, AZ DoD Disclaimer This document was prepared as a service to

1/13/09 FLOCON 2009, Scottsdale, AZ DoD Disclaimer This document was prepared as a service to the DoD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal

287 views • 17 slides
Darkspace Construction and Maintenance Jeff Janies and M. Patrick Collins RedJack FloCon 2011

Darkspace Construction and Maintenance Jeff Janies and M. Patrick Collins RedJack FloCon 2011

Darkspace Construction and Maintenance Jeff Janies and M. Patrick Collins RedJack FloCon 2011 What are Darkspaces? Simple definition: Externally routable address block(s) to which no legitimate network traffic should be destined. No

242 views • 20 slides
NERD: Network Emergency Responder & Detector Wim.Biemolt@surfnet.nl 2 nd FloCon, Pittsburgh,

NERD: Network Emergency Responder & Detector Wim.Biemolt@surfnet.nl 2 nd FloCon, Pittsburgh,

NERD: Network Emergency Responder & Detector Wim.Biemolt@surfnet.nl 2 nd FloCon, Pittsburgh, September, 2005. High-quality I nternet for higher education and research SURFnet5 netw ork Operational Since September 2001

309 views • 18 slides
Less is More with Intelligent Packet Capture RANDY CALDEJON FLOCON 2020 Objectives Consider

Less is More with Intelligent Packet Capture RANDY CALDEJON FLOCON 2020 Objectives Consider

Less is More with Intelligent Packet Capture RANDY CALDEJON FLOCON 2020 Objectives Consider merits of streaming analytics Expose to advanced open source tools Encourage to experiment with OpenArgus 2 2 Streaming Analytics

581 views • 36 slides
Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon 2011, January 12, Salt Lake City, Utah Presentation Outline NetFlow Monitoring at MU Chuck Norris Botnet in a Nutshell Botnet Detection Methods

906 views • 63 slides
On Terabit Flow Analysis FloCon 2008, Savannah Jonathan M. Smith CIS Department, U. Penn

On Terabit Flow Analysis FloCon 2008, Savannah Jonathan M. Smith CIS Department, U. Penn

On Terabit Flow Analysis FloCon 2008, Savannah Jonathan M. Smith CIS Department, U. Penn Terabit Network Applications Full-fidelity remote visualization and interactive simulation for 80fps HD / 3D HD and beyond, support for holographic

383 views • 16 slides
Bingdong Li , Jeff Springer , Mehmet Gunes , George Bebis University of Nevada Reno FloCon 2013

Bingdong Li , Jeff Springer , Mehmet Gunes , George Bebis University of Nevada Reno FloCon 2013

A Distributed Network Security Analysis System Based on Apache Hadoop-Related T echnologies Bingdong Li , Jeff Springer , Mehmet Gunes , George Bebis University of Nevada Reno FloCon 2013 January 7-10, Albuquerque, New Mexico Agenda

493 views • 31 slides
Using Vantage To Manage Complex Sensor Networks Flocon 2015 Biography Michael Collins,

Using Vantage To Manage Complex Sensor Networks Flocon 2015 Biography Michael Collins,

Using Vantage To Manage Complex Sensor Networks Flocon 2015 Biography Michael Collins, Chief Scientist, RedJack Did a bunch of stuff at CERT Wrote a book on flow analysis What is Vantage Analysis? (1) Study the networks

171 views • 15 slides
CyberV@R: A Model to Compute Dollar Value at Risk of Loss to Cyber Attack FloCon 2013 James

CyberV@R: A Model to Compute Dollar Value at Risk of Loss to Cyber Attack FloCon 2013 James

CyberV@R: A Model to Compute Dollar Value at Risk of Loss to Cyber Attack FloCon 2013 James Ulrich 1 CyberPoint Labs julrich@cyberpointllc.com CyberPoint International LLC January 9, 2013 1 with contributions from Charles Cabot, Roberta Faux,

1.32k views • 24 slides
Locality a semi-formal flow dimension John Gerth Stanford University FloCon 2015

Locality a semi-formal flow dimension John Gerth Stanford University FloCon 2015

Locality a semi-formal flow dimension John Gerth Stanford University FloCon 2015 Outline Dress for success Semi-formal attire Locals only Friends, acquaintances, and janitors On the street where

235 views • 20 slides
Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as

Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as

Suricata Tutorial FloCon 2016 Agenda Setup Introduction to Suricata Suricata as a SSL monitor Suricata as a passive DNS probe Suricata as a flow probe Suricata as a malware detector VirtualBox setup File ->

1.16k views • 78 slides
Protographs: Graph-Based Approach to NetFlow Analysis Jeff Janies RedJack FloCon 2011 Thesis

Protographs: Graph-Based Approach to NetFlow Analysis Jeff Janies RedJack FloCon 2011 Thesis

Protographs: Graph-Based Approach to NetFlow Analysis Jeff Janies RedJack FloCon 2011 Thesis Using social networks we can complement our existing volumetric analysis. Identify phenomenon we are missing because they are just not

568 views • 24 slides
Flow Indexing Making queries go faster FloCon 11 January 2012 John McHugh RedJack LLC How is

Flow Indexing Making queries go faster FloCon 11 January 2012 John McHugh RedJack LLC How is

Flow Indexing Making queries go faster FloCon 11 January 2012 John McHugh RedJack LLC How is large scale flow data used? Selection is the most generic and most popular query type. Selection queries specify a source IP address, a

420 views • 14 slides
Statistical analysis of flow data using Python and Redis DRAFT FLOCON 2013 Kevin Noble

Statistical analysis of flow data using Python and Redis DRAFT FLOCON 2013 Kevin Noble

Inroduction Statistical analysis of flow data using Python and Redis DRAFT FLOCON 2013 Kevin Noble Terraplex@gmail.com - 1 - Overview Overview 1. Beacon description 2. Beacons as used by attackers 3. Considerations for beacon

568 views • 36 slides
Near Real-Time Multi-Source Flow Data Correlation FloCon 2013 Carter Bullard QoSient, LLC

Near Real-Time Multi-Source Flow Data Correlation FloCon 2013 Carter Bullard QoSient, LLC

Near Real-Time Multi-Source Flow Data Correlation FloCon 2013 Carter Bullard QoSient, LLC Albuquerque, New Mexico Jan 7-10, 2013 carter@qosient.com Problem Statement Cyber incident attribution and forensics, is a complex process. To

795 views • 28 slides
Domain Name System (DNS) Session-1: Fundamentals Michuki Mwangi AfNOG Workshop, AIS 2018, Dakar

Domain Name System (DNS) Session-1: Fundamentals Michuki Mwangi AfNOG Workshop, AIS 2018, Dakar

Domain Name System (DNS) Session-1: Fundamentals Michuki Mwangi AfNOG Workshop, AIS 2018, Dakar Computers use IP addresses. Why do we need names? Names are easier for people to remember Computers may be moved between networks, in which

462 views • 29 slides
Launching Your Site BADCamp 2019 by Dan Ficker About Me Dan Ficker St.

Launching Your Site BADCamp 2019 by Dan Ficker About Me Dan Ficker St.

Launching Your Site BADCamp 2019 by Dan Ficker About Me Dan Ficker St. Paul, Minnesota Twitter: @deliriousguy Web: http://da-man.com/ Customer Success Engineer, Pantheon What We Will Cover Gather Website

478 views • 31 slides
Privacy analysis of DNS resolver solutions J.H.C. van Heugten University of Amsterdam MSc System

Privacy analysis of DNS resolver solutions J.H.C. van Heugten University of Amsterdam MSc System

Privacy analysis of DNS resolver solutions J.H.C. van Heugten University of Amsterdam MSc System and Network Engineering July 3, 2018 J.H.C. van Heugten (UvA) DNS privacy July 3, 2018 1 / 14 Introduction Weve updated our privacy

162 views • 14 slides
Domain Name System (DNS) Fundamentals Network Startup Resource Center www.nsrc.org These

Domain Name System (DNS) Fundamentals Network Startup Resource Center www.nsrc.org These

Domain Name System (DNS) Fundamentals Network Startup Resource Center www.nsrc.org These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/) Why

547 views • 29 slides
DNS Requirements Large domain registrar A few hundred thousand domains using our DNS.

DNS Requirements Large domain registrar A few hundred thousand domains using our DNS.

Scaling DNS Requirements Large domain registrar A few hundred thousand domains using our DNS. Nearly a million domains Still growing Need fast updates on the authoritative servers Especially when a new domain is added

557 views • 21 slides
DNS Security in the Broadest sense Some good news, some bad Bert Hubert PowerDNS.COM / Fox-IT

DNS Security in the Broadest sense Some good news, some bad Bert Hubert PowerDNS.COM / Fox-IT

DNS Security in the Broadest sense Some good news, some bad Bert Hubert PowerDNS.COM / Fox-IT Agenda DNS is scary & complex DNS is everywhere Embedded 1984 vintage code Threats: Availability, integrity, code exploitation

510 views • 35 slides
DNSwitness: recent developments and the new passive monitor St ephane Bortzmeyer AFNIC

DNSwitness: recent developments and the new passive monitor St ephane Bortzmeyer AFNIC

DNSwitness: recent developments and the new passive monitor St ephane Bortzmeyer AFNIC bortzmeyer@nic.fr RIPE 59 - Lisbon - October 2009 1 DNSwitness: recent developments and the new passive monitor / Where are we in the talk? Reminder

689 views • 67 slides
Non Profit Lobbying What is lobbying? Is it the proverbial, sinister behind-the-scenes

Non Profit Lobbying What is lobbying? Is it the proverbial, sinister behind-the-scenes

Non Profit Lobbying What is lobbying? Is it the proverbial, sinister behind-the-scenes handshake agreement? Or is it something not so sinister? What do you think? Lobbying is Political to be political, as per the IRS, means to engaged in

214 views • 5 slides

More recommend