Threat Attribution via DNS

Expo Theatre (Hall G) October 23, 2012 - Feedback     

Bookmark and Share

Gunter Ollmann

Despite the complexities of modern malware and the stealthiness of targeted infiltrations, the remote command and control of victim devices is heavily dependent upon a clear-text protocol. Using new techniques in the big data analysis of streaming DNS traffic and the application of innovative machine learning systems, it is possible to automatically identify domain names being purposed for malicious intent (months prior to malware samples being uncovered) and, more often than not, perform first order criminal attribution – through passive (non-DPI) observations. DNS is the Achilles’ heel of modern cybercriminal tactics. This talk will discuss the newest techniques in criminal entity attribution, early threat warning and the reconstruction of infection lifecycles using DNS observations at the recursive and authoritative levels.