Big Data in Cyber Security 2016Simon Arnell Chief Technologist – Security Services

DNS Malware AnalyticsDetecting compromised systems based on network usage

The security operations challenge

Email

Hotline/help deskcall center

Other

IDS

TriageIncidentreport Resolution

Analyze Obtain contactinformation

Provide technical

assistance

CoordinateInformation

andresponse

Information request

Vulnerabilityreport

Weeks -> ? Days MonthsCMU CERT/CC Incident Lifecycle

Security operations research

Email

Hotline/help deskcall center

Other

IDS

TriageIncidentreport Resolution

Analyze Obtain contactinformation

Provide technical

assistance

CoordinateInformation

andresponse

Information request

Vulnerabilityreport

Early detection(Big Data)

Rapid response (software-defined

networking)

What is DNS?

Client / server

Local DNSserver

DNS root “.”

DNS.com

DNS company.com

Query: service.company.com?

Query: service.company.com?

Check for zoneCheck cache

REPLY: ask “.com”

Query: service.company.com?REPLY: ask “company.com”Query: service.company.com?

Reply: 58.25.88.90

REPLY: 58.25.88.90

DNS traffic generated by:- Users (e.g. by browsing

web sites)- Applications, servers, etc.

Abuse caseBotnet command and control

Bot DNS server

akaajkajkajd.cn?xisyudnwuxu.ru?dfknwerpbnp.biz?mneyqslgyb.info?cspcicicipisjjew.hu?

C2 Server(mneyqslgyb.inf

o)

Attacker can’t maintain C2 server at IP address for very

long.So it registers a random

domain name temporarily.

Bot tries a bunch of random names until it finds

one that resolves.

AssetAsset

Abuse caseDNS tunneling (via subdomains)

Bot DNS server (Compromised) DNS server

(example.com)

93cc3daf.example.com4fac3215.example.coma86f4221.example.comddee9152.example.com8bd5ff12.example.comd4bb92a1.example.comef409132.example.com1bfa3207.example.com298c5b3a.example.com

Solution architecture: Overview

DNS server(s)

HPL DNS packet

capture

Whitelist

networktap

DNS queriesand responses

ArcSightLogger

ArcSightESM

Blacklist

Threat insight HPL Security Analytics and Visualization Solution

Event logging Correlation and alerting

Real-time processing

Near-time, historical analysis

DNS events:queries and replies

Screenshots of Big Data for Security – pre DMA

9

Productisation

Screenshot from HPE DNS Malware Analytics

– Cloud-based managed or self-service analytics with on-premises capture modules

– Yearly subscription– Bolt-on upgrades

– Events per second– Number of capture

modules

Service architecture

DNS Capture ModuleDNS analytics

Alerts (infected system)

Web-based detail and visualDrill-down

Level 1Analyst

HuntTeam

– Filter out 99% of traffic*– Tag events (blacklist

matching, DGA detection)– Statistics and diagnostics

– Constantly analyze DNS data for security threats

– Alerting– Data visualization and

exploration

– SaaS/Cloud

DNS Capture Module

Enterprise

SOCDNS server/cluster

Analytics cloud

SIEMUI