View
259
Download
1
Category
Preview:
Citation preview
Big Data in Cyber Security 2016Simon Arnell Chief Technologist – Security Services
DNS Malware AnalyticsDetecting compromised systems based on network usage
The security operations challenge
Hotline/help deskcall center
Other
IDS
TriageIncidentreport Resolution
Analyze Obtain contactinformation
Provide technical
assistance
CoordinateInformation
andresponse
Information request
Vulnerabilityreport
Weeks -> ? Days MonthsCMU CERT/CC Incident Lifecycle
Security operations research
Hotline/help deskcall center
Other
IDS
TriageIncidentreport Resolution
Analyze Obtain contactinformation
Provide technical
assistance
CoordinateInformation
andresponse
Information request
Vulnerabilityreport
Early detection(Big Data)
Rapid response (software-defined
networking)
What is DNS?
Client / server
Local DNSserver
DNS root “.”
DNS.com
DNS company.com
Query: service.company.com?
Query: service.company.com?
Check for zoneCheck cache
REPLY: ask “.com”
Query: service.company.com?REPLY: ask “company.com”Query: service.company.com?
Reply: 58.25.88.90
REPLY: 58.25.88.90
DNS traffic generated by:- Users (e.g. by browsing
web sites)- Applications, servers, etc.
Abuse caseBotnet command and control
Bot DNS server
akaajkajkajd.cn?xisyudnwuxu.ru?dfknwerpbnp.biz?mneyqslgyb.info?cspcicicipisjjew.hu?
C2 Server(mneyqslgyb.inf
o)
Attacker can’t maintain C2 server at IP address for very
long.So it registers a random
domain name temporarily.
Bot tries a bunch of random names until it finds
one that resolves.
AssetAsset
Abuse caseDNS tunneling (via subdomains)
Bot DNS server (Compromised) DNS server
(example.com)
93cc3daf.example.com4fac3215.example.coma86f4221.example.comddee9152.example.com8bd5ff12.example.comd4bb92a1.example.comef409132.example.com1bfa3207.example.com298c5b3a.example.com
Solution architecture: Overview
DNS server(s)
HPL DNS packet
capture
Whitelist
networktap
DNS queriesand responses
ArcSightLogger
ArcSightESM
Blacklist
Threat insight HPL Security Analytics and Visualization Solution
Event logging Correlation and alerting
Real-time processing
Near-time, historical analysis
DNS events:queries and replies
Screenshots of Big Data for Security – pre DMA
9
Productisation
Screenshot from HPE DNS Malware Analytics
– Cloud-based managed or self-service analytics with on-premises capture modules
– Yearly subscription– Bolt-on upgrades
– Events per second– Number of capture
modules
Service architecture
DNS Capture ModuleDNS analytics
Alerts (infected system)
Web-based detail and visualDrill-down
Level 1Analyst
HuntTeam
– Filter out 99% of traffic*– Tag events (blacklist
matching, DGA detection)– Statistics and diagnostics
– Constantly analyze DNS data for security threats
– Alerting– Data visualization and
exploration
– SaaS/Cloud
DNS Capture Module
Enterprise
SOCDNS server/cluster
Analytics cloud
SIEMUI
Recommended