Day: June 25, 2015

Internet pioneer and DNS expert Paul Vixie says ‘passive DNS’ is way to shut down malicious servers and infrastructure without affecting innocent users.

Botnet and bad-actor IP hosting service takedowns by law enforcement and industry contingents have been all the rage for the past few years as the good guys have taken a more aggressive tack against the bad guys.

These efforts typically serve as an effective yet short-term disruption for the most determined cybercriminal operations, but they also sometimes inadvertently harm innocent users and providers, a problem Internet pioneer and DNS expert Paul Vixie says can be solved by employing a more targeted takedown method.

Vixie, CEO of FarSight Security, which detects potentially malicious new domain names and other DNS malicious traffic trends, says using a passive DNS approach would reduce or even eliminate the chance of collateral damage when cybercriminal infrastructure is wrested from the attackers’ control. Vixie will drill down on this topic during his presentation at Black Hat USA in August.

Takedowns typically include seizing domains, sinkholing IPs, and sometimes physically removing equipment, to derail a botnet or other malicious operation.

Perhaps the most infamous case of collateral damage from a takedown was Microsoft’s Digital Crimes Unit’s takeover of 22 dynamic DNS domains from provider No-IP a year ago. The move did some damage to Syrian Electronic Army and cybercrime groups, but innocent users were also knocked offline. Microsoft said a “technical error” led to the legitimate No-IP users losing their service as well, and No-IP maintained that millions of its users were affected.

The issue was eventually resolved, but not after some posturing in hearings on Capitol Hill, and debate over whether Microsoft was getting to heavy-handed in its takedown operations.

Vixie says the key to ensuring innocent users and organizations don’t get swept up in the law enforcement cyber-sweep is get a more accurate picture of just what is attached to and relying on the infrastructure in question. “There is a tool that you can use to find out [whether] the Net infrastructure belongs to bad guys so you don’t target anything else” that shares that infrastructure and is not malicious, Vixie says.

Passive DNS is a way to do that, says Vixie. With passive DNS, DNS messages among DNS servers are captured by sensors and then analyzed. While Vixie’s company does run a Passive DNS database, he says he’s advocating that investigators and task forces doing botnet or domain takedowns use any passive DNS tool or service.

Vixie says the two-part challenge in takedowns to date has been ensuring law enforcement “got it all” while not inadvertently cutting off innocent users and operations in the process.

Passive DNS not only can help spot critical DNS name servers, popular websites, shared hosting environments, and other legit operations so they aren’t hit in a takedown operation, he says, but it can also help spot related malicious domains that might otherwise get missed. That helps investigators drill down to the malicious tentacles of the operation, according to Vixie.

Vixie in his talk at Black Hat also plans to lobby for researchers and service providers to contribute data to passive DNS efforts.

Meanwhile, it’s unclear what long-term effects takedowns have had on the cybercrime underground. “I’m involved in the same [volume] of [takedown] cases than I ever was. The trend of bad guys is on an upward swing,” Vixie says.

 

[Dark Reading]

Since May 2014, the Chinese government has been amassing a ‘Facebook for human intelligence.’ Here’s what it’s doing with the info.

Leading into 2015, the cybersecurity community was still reeling from the impact of a destructive attack unlike any other we have seen in terms of visibility, scale, and impact. Already halfway into 2015, there is no shortage of breaches. We have already witnessed major compromises in healthcare, the US government, the Bundestag, and media being attacked by sophisticated adversaries, in most cases, roaming freely on networks for months at a time.

Attackers from China, Russia, North Korea, ISIS, and even potentially friendly governments have dominated the headlines. In case you have your head in the sand, this is not going away anytime soon. Compared to traditional espionage, “cyber espionage,” or CNE as the military likes to designate it, has a lower cost of entry, less risk if you are caught or compromised, and can often yield equivalent intelligence to feed an ever-growing set of interested consumers. For criminals, the use of e-commerce systems and vulnerable payment mechanisms provides an avenue for rapid monetization and prosperity. Activists or hacktivists as they present themselves on the Internet are able to use electronic mediums to disseminate messaging from banal greets to truly meaningful causes that impact people’s lives across the globe.

Since May of 2014, the Chinese government has been amassing what can only be described as the “Facebook for human intelligence targeting” from the databases lifted from some of our most fundamental and essential systems. Why would anyone want healthcare records? If you take a step back, these records are part of a bigger picture, used in concert with the personnel records of US government workers and any other databases that have been stolen over the years. The beneficiary of that data can build an interesting picture detailing the confidential history, preferences, behavioral patterns, and more, of millions of potential intelligence targets.

The point that most people miss is that “cyber” data doesn’t just get used for cyber attacks, or cyber bullying, or cyber theft. The People’s Republic of China doesn’t only conduct network-based espionage, they are a major government on the world stage. They have human intelligence collectors whose job is to identify people with access to interesting or useful information and to collect that information. MICE is a common acronym we use in the information security industry — Money, Ideology, Compromise, and Ego – a simple set of motivations that can be used to entice or coerce a target to provide continued or temporary access to data.

Using stolen healthcare data, these human collectors can identify someone with access to sensitive information who unfortunately has a sick relative. As the healthcare bills pile up and they become increasingly despondent to help their sick relative get the medical treatment they need, an opening begins to emerge. The human collector, if they are able to identify this opening, can approach the target and begin to sow the seed for access, a simple trade of money for information, information that may seem insignificant to the target, but in aggregate across many different sources becomes quite valuable.

[Learn more from Adam about how to consume, operationalize and integrate threat intel during his training session on the fundamentals of intelligence-driven security, Black Hat 2015 Las Vegas August 1-2 & 3-4.]

It has been said that the network defender must be right 100 percent of the time, while the attacker need only be lucky once. The asymmetry of this is terrifying! Your network defenders should be in front of 10 monitors with an intravenous drip of caffeine and sugar twitching at every packet surging across your enterprise. The reality is that this is true, but we have systems and tools to help deter and detect these attackers.

These tools out of the box, while capable, don’t necessarily have all the smarts they need to root out these attackers:  these tools need intelligence. Intelligence-driven security means learning from previous attacks whether successful or not, and incorporating what you have learned into your defense posture. The military, in dealing with asymmetry encountered in Latin America in the 1980’s pioneered a process for incorporating intelligence into their targeting processes that has been continuously improved upon in the past 10 years.

This process involves taking the intelligence gleaned from every action, operation, or encounter and feeding it into the next operation to rapidly adapt to the changing environment. This same process introduced into security operations, what I call intelligence-driven security, can drive the cost of protecting the enterprise down, while simultaneously allowing the Security Operations Center (SOC) to have meaningful conversations with the business owners, the C-Suite, and the Board. Enterprise security isn’t just about blocking malware anymore, it’s about protecting the business and against dedicated and sophisticated threat actors.

Adam Meyers has over a decade of experience within the information security industry. He has authored numerous papers that have appeared at peer reviewed industry venues and has received awards for his dedication to the field. At CrowdStrike, Adam serves as the VP of Intelligence. Within this role it is Adam’s responsibility to oversee all of CrowdStrike’s intelligence gathering and cyber-adversarial monitoring activities. Adam’s Global Intelligence Team supports both the Product and Services divisions at CrowdStrike and Adam manages these endeavors and expectations. Prior to joining CrowdStrike, Adam was the Director of Cyber Security Intelligence with the National Products and Offerings Division of SRA International.

[Dark Reading]