Ripple EffectAlgorithmic Threat
Intelligence & ContainmentPing @OpenDNS.com
Ping
Came from China Was in U. of Arizona graduate school
Data mining, Machine learningInfoSec
Agenda
DNS transactions
The Ripple Effect
Case study - Cryptolocker
Demo
More IP, AS intel, the present and the past?
What is this traffic spikes all about?
What are all these weird stuff that one was requesting?
The Ripple Effect
The process of searching the newer and the unknown, … starting from the seeding intelligence
Cryptolocker DGA
1. Infection2. retrieve encryption key from CnC3. encrypt data files 4. collect money!
IP CnC fails quickly! DGA kicks in !
I don’t know the DGA!!!
https://sgraph.umbrella.com/domain-view/name/xvaxsxbptmerjb.com/view
Demohttp://labs.umbrella.com/wp-content/uploads/2013/09/cyl.gif
load https://sgraph.umbrella.com/thibault/Web/?name=xvaxsxbptmerjb.com
The Algorithm
November 7th 144.76.192.13095.59.26.43
Beyond Cryptolocker
https://sgraph.umbrella.com/domain-view/name/o2i2394073g2oh2b34.com/view
QUESTIONS?