Ripple EffectAlgorithmic Threat

Intelligence & ContainmentPing @OpenDNS.com

Ping

Came from China Was in U. of Arizona graduate school

Data mining, Machine learningInfoSec

Agenda

DNS transactions

The Ripple Effect

Case study - Cryptolocker

Demo

More IP, AS intel, the present and the past?

What is this traffic spikes all about?

What are all these weird stuff that one was requesting?

The Ripple Effect

The process of searching the newer and the unknown, … starting from the seeding intelligence

Cryptolocker DGA

1. Infection2. retrieve encryption key from CnC3. encrypt data files 4. collect money!

IP CnC fails quickly! DGA kicks in !

I don’t know the DGA!!!

https://sgraph.umbrella.com/domain-view/name/xvaxsxbptmerjb.com/view

Demohttp://labs.umbrella.com/wp-content/uploads/2013/09/cyl.gif

load https://sgraph.umbrella.com/thibault/Web/?name=xvaxsxbptmerjb.com

The Algorithm

November 7th 144.76.192.13095.59.26.43

Beyond Cryptolocker

https://sgraph.umbrella.com/domain-view/name/o2i2394073g2oh2b34.com/view

QUESTIONS?