Contenu connexe
Similaire à CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
Similaire à CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day (20)
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg day
- 1. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
@ThreatConnect
Lots of Squats:
APTs Never Miss Leg Day
March 17, 2017
- 2. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
Agenda
• Spoofed domains
• Notable breaches
• Tools
• Strategic view of spoofed
domain registrations
• Tactical view
• Conclusions
- 3. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
3
The First Look
Vulnerability
Rescuing Leia
• Because everything has a Star Wars corollary
Spoofed domains
• Exploit the inherent and immediate trust that we place in the
familiar
• Target the organization or another organization/technology
pertinent to operation
Types
• Typosquats
• Look alikes
• Letter swaps
• Sticky keys
- 4. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
4
A) gooqle.com
B) googIe.com
C) qoogle.com
D) gcogle.com
Pop Quiz
Example
- 5. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
5
Pop Quiz
Example
gooqle.com
gI
qoogle.com
Use a lowercase “Q” in place of a “g”
gooqle.com
qoogle.com
- 6. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
6
Pop Quiz
Example
Use a “c” in place of an “o”
gcogle.com
- 7. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
7
Pop Quiz
Example
Use an uppercase “i” instead
of a lowercase “L”
googIe.com
- 8. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
8
Advanced
Persistent
Threats (APTs)
Everybody’s doing it
• China
• Russia
Why
• Relatively cheap
• Easy to do
• Effective
• Can obfuscate origin
Operations
• Delivery
• Exploitation
• Command and control
Notable breaches
• Anthem/BCBS entities
• OPM
• DNC/DCCC
Operation types
• Credential harvesting
• Malware dissemination
- 9. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
9
Notable
Breaches
China – DEEP PANDA
Anthem/BCBS
• we11point[.]com
• prennera[.]com
• Chinese registrant resellers
OPM
• opm-learning[.]org
• opmsecurity[.]org
• The Avengers registrants
Russia – FANCY BEAR
DNC/DCCC
• misdepatrment[.]com
• actblues[.]com
• Fake personas
- 10. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
10
So What?
Has become a TTP
• Specific actors employing spoofing against specific sectors
• There is a trend to look for
Domain registration precedes operation
• Timeline varies
Operationalize domain registration information
• WHOIS as threat intelligence
- 11. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
11
We’re Not Playing Whack-a-Mole
Simply reacting on a one-off basis won’t suffice
• Active state
• Predictive state
Leveraging domain registrations as threat intel
• Higher-level strategic intelligence
• Informs organizational or sector awareness
• In-depth tactical intelligence
• Provides situational awareness during incidents
Operationalize domain registration information
• Trends in spoofed domain registrations
• Identifying and leveraging APT TTPs
- 12. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
12
Tools of
the Trade
DNSTwist and URLCrazy
• Open source
• Identify spoofed domains for a
given domain
DomainTools
• WHOIS
• Typo Finder
• Reverse NS Lookup
• IRIS
- 13. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
Domain Registrations
as Strategic Intel
- 14. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
14
Trends in Registrations
Process
• Identify all domains registered during a given
timeframe that spoof provided domains
• Get WHOIS information for all domains
• Registrant, registrar, create date, registrant email
address, country of origin
• Used Excel
• Remove legitimate registrations as possible
• Investigate WHOIS information to identify trends or
patterns
• Correlate possible spikes in activity to current events
Hypothesis
• Keeping track of all of the
spoofed domains targeting a
given organization or sector can
help identify potential activity
against that organization or
sector.
- 15. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
15
Organizational
Example
Research
• Spoofed domains targeting Anthem BCBS
legitimate domains
• 10 domains/organizations
Anthem BCBS Identified
• Over 1400 spoofed domains
• Over 280 in 2015
• 59 of which came from China
- 16. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
16
Number of Spoofed Domain Registrations from China Targeting BCBS Entities, 2015
- 17. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
17
Number of Spoofed Domain Registrations from China Targeting BCBS Entities, 2015
- 18. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
18
Number of Spoofed Domain Registrations from China Targeting BCBS Entities, 2015
- 19. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
19
Sector Example
Research
• Spoofed domains targeting six major
pharmaceutical companies
Pharmaceutical
Industry Identified
• Over 2000 spoofed domains
• 304 in 2015
• At least 70 from China
- 20. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
20
Findings
Novartis – March 2015
• Three spoofed domains in March
• FDA approves first biosimilar drug
• Beijing lifts price controls on pharmaceuticals
Lilly – November 2015
• Eight spoofed domains in Oct
• Twelve in Nov
• Eli Lilly and China's Innovent expand partnership
• FDA approves cancer drug
Sanofi – April 2016
• Twelve spoofed domains in April
• Two rest of 2016
• Bids for Medivation
• Eczema drug clears trials
- 21. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
21
What Does This Mean for an Org/Sector?
Spikes in registration activity
• Potentially portend malicious activity
• Necessitate heightened
awareness
• May not be malicious
• May be related to non-cyber events
• Situational awareness for sectors
WHOIS
• Registrants, email addresses for tracking
• Identify other domains that individuals
targeting your organization register
Helps identify threats
• Consistencies with previously identified APTs
• Capabilities, TTPs, and other infrastructure
to be aware of
- 22. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
Domain Registrations
as Tactical Intel
- 23. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
23
Pivoting from One Spoofed Domain to Others
Process
• Identify spoofed domain that is particularly suspicious
or has been leveraged in malicious activity
• Get WHOIS and/or SOA information for domain
• Registrant, registrar, create date, registrant email
address, country of origin, name server, etc.
• Identify the most unique registration information
• Pivot to other domains using the most unique
registration information
Hypothesis
• WHOIS information for an
encountered spoofed domain
can help us identify an actor’s
other spoofed domains that may
be leveraged against the same or
other targets.
- 24. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
24
DNC and DCCC Attacks
DNC
• CrowdStrike analysis from mid June
• Identified a FANCY BEAR IP
address
• ThreatConnect identified
misdepatrment[.]com
• Spoofs MIS Department
DCCC
• Reporting from mid July identified that same
actors compromised DCCC
• Used spoofed domain targeting donation
website
• Fidelis identified actblues[.]com vs
actblue[.]com
• Registered day after DNC attack
publicized
- 25. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
25
WHOIS/SOA Information for FB Domains
misdepatrment[.]com actblues[.]com
- 26. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
26
What Can We Pivot from that is Unique?
misdepatrment[.]com actblues[.]com
- 27. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
27
What Can We Pivot from that is Unique?
misdepatrment[.]com actblues[.]com
httpconnectsys[.]com
fastcontech[.]com
intelsupportcenter[.]com
intelsupportcenter[.]net
- 28. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
28
What Can We Pivot from that is Unique?
misdepatrment[.]com actblues[.]com
httpconnectsys[.]com
fastcontech[.]com
intelsupportcenter[.]com
intelsupportcenter[.]net
- 29. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
29
What Can We Pivot from that is Unique?
misdepatrment[.]com actblues[.]com
httpconnectsys[.]com
fastcontech[.]com
intelsupportcenter[.]com
intelsupportcenter[.]net
- 30. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
30
What Can We Pivot from that is Unique?
misdepatrment[.]com actblues[.]com
httpconnectsys[.]com
fastcontech[.]com
intelsupportcenter[.]com
intelsupportcenter[.]net
- 31. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
Domains4Bitcoins
(1a7ea920.bitcoin-dns.hosting)
• Bitcoins
• ~2500 domains
• Previous associations to FB
•militaryobserver[.]net
•sysprofsvc[.]com
•euronews24[.]info
•naoasch[.]com
•storsvc[.]org
ITitch (ns1.ititch.com)
• Bitcoins
• ~2100 domains
31
Name Servers
- 32. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
32
Hundreds of Spoofed Domains on Name Servers
• access-google[.]com
• actblues[.]com
• adobeflashdownload[.]de
• adobeflashplayer[.]me
• adobeflashplayer[.]space
• adobeupdater[.]org
• adobeupdatetechnology[.]com
• adoble[.]net
• akamaitechnologysupport[.]com
• akamaitechupdate[.]com
• appclientsupport[.]ca
• appleappcache[.]com
• appleauthservice[.]com
• applerefund[.]com
• archivenow[.]org
• bbcupdatenews[.]com
• bit-co[.]org
• bitsdelivery[.]com
• buy0day[.]com
• cdn-google[.]com
• cdncloudflare[.]com
• cloudfiare[.]com
• dynamicnewsfeeds[.]com
• ebiqiuty[.]com
• egypressoffice[.]com
• eigsecure[.]com
• facebook-profiles[.]com
• flashplayer2015[.]xyz
• goaarmy[.]org
• govsh[.]net
• great-support[.]com
• hackborders[.]net
• helper-akamai[.]com
• honeyvvell[.]co
• intelintelligence[.]org
• intelsupportcenter[.]com
• intelsupportcenter[.]net
• login-hosts[.]com
• logmein-careservice[.]com
• marshmallow-google[.]com
• micoft[.]com
• microsoft-updates[.]me
• mofa-uae[.]com
• ms-drivadptrwin[.]com
• ms-sus6[.]com
• ms-updates[.]com
• nato-org[.]com
• natoadviser[.]com
• new-ru[.]org
• newflashplayer2015[.]xyz
• passwordreset[.]co
• pdf-online-viewer[.]com
• sec-verified[.]com
• securesystemwin[.]com
• securityresearch[.]cc
• services-gov[.]co[.]uk
• social-microsoft[.]com
• socialmedia-lab[.]com
• symantecupdates[.]com
• terms-google[.]com
• theguardiannews[.]org
• theguardianpress[.]com
• thehufflngtonpost[.]com
• vortex-sandbox-microsoft[.]com
• vpssecurehost[.]com
• win-wnigarden[.]com
• wincodec[.]com
• windowsnewupdated[.]com
• winliveupdate[.]top
• winninggroup-sg[.]com
• wm-z[.]biz
• wmepadtech[.]com
• wsjworld[.]com
• yourflashplayer[.]xyz
- 33. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
33
Subset for 1&1 Email Domains
Domains4Bitcoins
(1a7ea920.bitcoin-dns.hosting)
• akamaitechnologysupport[.]com
• akamaitechupdate[.]com
• micoft[.]com
• ms-drivadptrwin[.]com
• ms-sus6[.]com
• securesystemwin[.]com
• wmepadtech[.]com
• natoadviser[.]com
• theguardiannews[.]org
• wsjworld[.]com
ITitch (ns1.ititch.com)
• bitsdelivery[.]com
• apptaskserver[.]com
• aptupdates[.]org
• contentupdate[.]org
• defenceglobaladviser[.]com
• dowssys[.]com
• gmailservicegroup[.]com
• i-aol-mail[.]com
• msmodule[.]net
• officeupdater[.]com
• systemsv[.]org
• updmanager[.]net
- 34. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
34
What Does This
Mean for an
Org/Sector?
Relevant threat intelligence
• During incidents
• Actor pivoting
• Historical registrations for reviewing previous activity
WHOIS
• Identify other domains that individuals targeting your
organization register
Future tracking
• Registrant email addresses
• Name servers
• Confluence of WHOIS information
- 35. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
35
Caveats
Findings merit additional research
• Spoofed domains are not necessarily malicious
• Tracking domains may help identify if/when they are operationalized
• Hosting information
• Slice and dice the WHOIS
Legitimate domains
• Some domains, like lilly.com, inherently have false positives
• Baseline activity to identify spikes
• Also requires an understanding of your organization’s assets
Importance of sharing
• Impossible to do this type of research for all of the
organizations/technologies that your organization may be involved with
• Sharing intelligence derived from this type of research facilitates other
organizations’ defensive efforts
- 36. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
36
Conclusions
Leverage intelligence
from spoofed domain
registrations
Not cost prohibitive
• Lower amount of resources
• Some tools openly available
Strategic and tactical
research
• Focuses on a common TTP
• Provides situational and tactical
awareness
Helps defend your
organization and others
• Sharing is caring
• Cyber security karma
- 37. © 2016 ThreatConnect, Inc. All Rights Reserved | All material confidential and proprietary
THANK YOU!
© 2016 ThreatConnect, Inc. All Rights Reserved
Blog: threatconnect.com/blog
Twitter: @ThreatConnect
Sign up for a free account:
www.threatconnect.com/free