Tracking Evil with Passive DNS
|
|
- Margaret McCoy
- 6 years ago
- Views:
Transcription
1 Tracking Evil with Passive DNS Bojan Ždrnja, CISSP, GCIA, GCIH INFIGO IS
2 Who am I? Senior information security consultant with INFIGO IS (Croatia) Mainly doing penetration testing Various duties at SANS Internet Storm Center Handler Mostly known for reverse engineering malware SANS GREM (GIAC Reverse Engineering Malware) course co-author Advisory Board Member Honorary researcher at the University of Auckland, New Zealand This is were I started working with passive DNS
3 Agenda What is passive DNS? DNSParseNG Project overview and current status Data mining Tracking evil and much, much more Future development
4 Domain name system (DNS) DNS is a critical part of the Internet The DNS maps hostnames to IP addresses DNS is distributed Great for high availability Each server is responsible only for its zone We are interested in 4-tuple answers: Question Resource record type Answer TTL
5 Why we need DNS data replication? DNS allows multiple mappings Forward multiple mappings are very common Reverse multiple mappings very rare History of any DNS changes is permanently lost DNS keeps no information about previous records Only the owner knows what happened The idea behind this Let s capture DNS data (questions and answers) so we can do research on it
6 Acquiring DNS data Various ways of acquiring DNS data We can mirror DNS zones off servers But we need access to various zones for that We can actively resolve DNS names We do not know what to look for We can passively sniff network and store seen DNS traffic Practical in huge environments since we can monitor only gateway traffic No changes required to clients or servers This is how passive DNS replication works
7 Passive DNS replication Initial idea by Florian Weimer in 2004 He was with RUS-CERT Only limited data available ISC s Security Information Exchange DNSParse (and DNSParseNG) Research project at the University of Auckland Data available from 2006 More than 1.5 billion records in the database Available to security researchers
8 How DNSParseNG works Passive sensors monitor network traffic and collect DNS packets Collected traffic is parsed to eliminate duplicates Sensor runs a special utility The utility generates plain text files Sensors upload parsed data (and anonymized, if needed) to the central collector Uploads through SCP (SSH) Uploads are identified only by sensor All information about query and answer sources is removed
9 How DNSParseNG works Data is collected with tcpdump We are interested only in authoritative DNS responses ID Q R Opcode A A T C R D R A Z RCODE QDCOUNT ANCOUNT NSCOUNT ARCOUNT udp port 53 and ( udp[10] & 0x04!= 0 )
10 Introducing DNSParseNG Collector stores retrieved data Specially optimized database Main data stored in sharded hash tables in a MySQL database Timestamps stored in Tokyo Cabinet files Hosted on a single machine (!) Currently uses around 600 GB of disk space Web interface available Automated queries possible through HTTPS Data returned in HTML, XML, JSON Easy integration with other systems
11 DNSParseNG web interface Username: csm-ace Password: passive
12 Huge amounts of data
13 Data mining Passive DNS contains data not available anywhere else Some simple examples Show all domain names mapped to a single IP address Show history of changes for any domain name Show when a particular entry was seen first and last time Useful for detecting new domain names Show what different sensors are seeing Do we have DNS cache poisoning? Or simply geo-ip localization?
14 New data Initial expectation was that newly seen records will not grow linearly Data locality Not true due to spammers and malware authors New domains get registered constantly We can inspect newly seen domains Is a large number of new domains seen per sensor? Very useful for detecting phishing attempts
15 Detection of phishing attempts Early warnings for popular sites/domain names Very useful for banks! Already used by various AV vendors, banks, Facebook Processed when importing new domains If a domain matches our name Check if this domain has been seen before If not, raise an alert and send False positives for legitimate names seen first time
16 Detection of phishing attempts Catch phishing attempts such as Or Or We can also check what else is hosted on these servers As long as one of our sensors has seen it Help us make decision DEMO If it is a compromised server Or simply a bad server/network/operator
17 Typo squatting domains Sometimes used in phishing attacks Or simply for marketing/advertisements DNSParse contains millions of typo squatting domains Sometimes can be detected automatically They show what our users visited Especially dangerous with wildcard typo squatting domains Real domain is
18 Typo squatting domains Every record shown was visited by at least one user Since the IP addresses are changing we can geo-locate them Moving across continents is not usual Example: aukland.ac.nz A record This is Texas, USA A record This is New York, USA A record This is Christchurch, New Zealand
19 And more typo squatting domains Sometimes spammers use single host High number of domain name <-> IP address mappings Not an exclusive sign of badness, of course But when we add reputation Any new domain on this IP address is probably bad Let us take a look at
20 Fast flux domains High number of records for a single domain name Mappings of a domain name to IP address change frequently This is single fast flux Double fast flux Besides IP address mappings NS records change as well Both of these can be used for legitimate purposes as well Popular with CDNs
21 Fast flux domains We can automatically detect some Current work uses a linear classifier Calculate a flux score as function of Number of unique A records TTL values Unique ASNs We can even correlate this with real geographical location Registrar Domain age Exclude well known fast-flux-like domains For example, Akamai
22 Fast flux domains Work by Jin Liu, University of Auckland
23 Fast flux domains Classical bad example: Storm worm Used the tibeam.com domain FakeAV/RogueAV Certain groups use fast flux Example: etyj.ru Content Delivery Networks can be problematic Example: Akamai lb1.
24 Record reputation DNSParseNG has a field for reputation of every record Mark potentially evil records Is an IP address/network evil? Or attackers use only one NS server? If yes, if NS server s reputation is bad we know that every new domain that uses it is bad too Example: dns1.ip4dns.com Not used any more All domains using it are bad in the database
25 Reverse DNSParse Instead of answers, we collect questions Together with the source We are interested in 4-tuples Source IP address Source network port DNS question Domain name Resource Record Destination NS server Can help detect malicious/misbehaving clients on our networks
26 Reverse DNSParse Very simple detection of certain infected hosts Spamming machines tend to do a lot of MX lookups More than 5 per second? Alert We need to whitelist our server Lookups for known malicious hosts We can get feeds from various sources For example, Zeus tracker Why is our machine resolving a known C&C No matter what the AV said, this is an infected machine Or a security researcher we want to know about!
27 Future development We need more sensors! More sensors, better data Easy to apply, just me We can customize sensors as needed Add new query interfaces DNS query interface is ready (testing) Written by Chris Lee from Shadow Server Advanced data mining Automatic detection of evil domains Need to add reputation data on a large scale
28 Future development Improved alerting Simple keyword based alerting already working Proved useful for phishing domains Used by some high profile services Improved database searching Search by networks, IP addresses, names, neighbors Add support for secure DNS, more record types Add bailiwick data, prevent poisoning
29 Thank you for your attention!
A SUBSYSTEM FOR FAST (IP) FLUX BOTNET DETECTION
Chapter 6 A SUBSYSTEM FOR FAST (IP) FLUX BOTNET DETECTION 6.1 Introduction 6.1.1 Motivation Content Distribution Networks (CDNs) and Round-Robin DNS (RRDNS) are the two standard methods used for resource
More informationDNSSM: A Large Scale Passive DNS Security Monitoring Framework
samuel.marchal@uni.lu 16/04/12 DNSSM: A Large Scale Passive DNS Security Monitoring Framework Samuel Marchal, Jérôme François, Cynthia Wagner, Radu State, Alexandre Dulaunoy, Thomas Engel, Olivier Festor
More informationBojan Ždrnja, CISSP, GCIA, GCIH, GWAPT INFIGO IS
Laterally pwning Windows Bojan Ždrnja, CISSP, GCIA, GCIH, GWAPT Bojan.Zdrnja@infigo.hr INFIGO IS http://www.infigo.hr Who am I? Senior information security consultant at INFIGO IS Penetration testing (all
More informationAutomating Security Response based on Internet Reputation
Add Your Logo here Do not use master Automating Security Response based on Internet Reputation IP and DNS Reputation for the IPS Platform Anthony Supinski Senior Systems Engineer www.h3cnetworks.com www.3com.com
More informationSOLUTION MANAGEMENT GROUP
InterScan Messaging Security Virtual Appliance 8.0 Reviewer s Guide February 2011 Trend Micro, Inc. 10101 N. De Anza Blvd. Cupertino, CA 95014 T 800.228.5651 / 408.257.1500 F 408.257.2003 www.trendmicro.com
More informationPassive DNS. Using the DNS for fun and profit. Alexandre Dulaunoy. March 4, Alexandre Dulaunoy Passive DNS
Using the DNS for fun and profit March 4, 2016 Domain Name Space and Structure Domain Name Space and Structure 1/3 The domain name space is structured in a tree. The DNS root zone is at the top and provide
More informationConfiguring DNS. Finding Feature Information. Prerequisites for Configuring DNS
The Domain Name System (DNS) is a distributed database in which you can map host names to IP addresses through the DNS protocol from a DNS server. Each unique IP address can have an associated host name.
More informationPassive DNS Replication
Passive DNS Replication Florian Weimer 17 th Annual FIRST Conference, Singapore, 2005 Florian Weimer Passive DNS Replication FIRST 2005 1 / 24 Outline A very brief introduction to DNS Case Study: Botnet
More informationComputer Networking: Applications George Blankenship. Applications George Blankenship 1
CSCI 232 Computer Networking: Applications i George Blankenship Applications George Blankenship 1 TCP/IP Applications The user of TCP/IP transport (TCP/UDP) is an application, the top level lof the TCP/IP
More informationForensic Network Analysis in the Time of APTs
SharkFest 16 Forensic Network Analysis in the Time of APTs June 16th 2016 Christian Landström Senior IT Security Consultant Airbus Defence and Space CyberSecurity Topics - Overview on security infrastructure
More informationSearch Engines. Information Retrieval in Practice
Search Engines Information Retrieval in Practice All slides Addison Wesley, 2008 Web Crawler Finds and downloads web pages automatically provides the collection for searching Web is huge and constantly
More informationThe evolution of malevolence
Detection of spam hosts and spam bots using network traffic modeling Anestis Karasaridis Willa K. Ehrlich, Danielle Liu, David Hoeflin 4/27/2010. All rights reserved. AT&T and the AT&T logo are trademarks
More informationNaming in Distributed Systems
Naming in Distributed Systems Dr. Yong Guan Department of Electrical and Computer Engineering & Information Assurance Center Iowa State University Outline for Today s Talk Overview: Names, Identifiers,
More informationGöran Pestana. Incident handler and developer
Göran Pestana Incident handler and developer Megatron Automated Abuse Handling by Who is Megatron? Who is Megatron? A system that collects and processes information about bad hosts on the Internet Input
More informationDetecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine
Detecting Spammers with SNARE: Spatio-temporal Network-level Automatic Reputation Engine Shuang Hao, Nadeem Ahmed Syed, Nick Feamster, Alexander G. Gray, Sven Krasser Motivation Spam: More than Just a
More informationIntelligent and Secure Network
Intelligent and Secure Network BIG-IP IP Global Delivery Intelligence v11.2 IP Intelligence Service Brian Boyan - b.boyan@f5.com Tony Ganzer t.ganzer@f5.com 2 Agenda Welcome & Intro Introduce F5 IP Intelligence
More informationUnique Phishing Attacks (2008 vs in thousands)
The process of attempting to acquire sensitive information, such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. In the 2 nd half
More information3.5 SECURITY. How can you reduce the risk of getting a virus?
3.5 SECURITY 3.5.4 MALWARE WHAT IS MALWARE? Malware, short for malicious software, is any software used to disrupt the computer s operation, gather sensitive information without your knowledge, or gain
More informationDNS Anomaly Detection
DNS Anomaly Detection superdad Nick Barendregt Hidde van der Heide Agenda Introduction Methods Results Conclusion Questions and Discussion 3 / 25 Introduction "Examine the feasibility of detecting malware
More informationSecurity Architect Northeast US Enterprise CISSP, GCIA, GCFA Cisco Systems. BRKSEC-2052_c Cisco Systems, Inc. All rights reserved.
Web 2.0 Security Recommendations Ken Kaminski Security Architect Northeast US Enterprise CISSP, GCIA, GCFA Cisco Systems 1 Agenda Reputation Services Web application security Secure Coding and Web Application
More informationHONEYPOT BASED INTRUSION MANAGEMENT SYSTEM: FROM A PASSIVE ARCHITECTURE TO AN IPS SYSTEM
HONEYPOT BASED INTRUSION MANAGEMENT SYSTEM: FROM A PASSIVE ARCHITECTURE TO AN IPS SYSTEM 1 ELMEHDI BENDRISS, 2 BOUBKER REGRAGUI 1 SI3M, ENSIAS 2 SI3M, ENSIAS E-mail: 1 bendriss@gmail.com, 2 regragui@ensias.ma
More informationGCIH. GIAC Certified Incident Handler.
GIAC GCIH GIAC Certified Incident Handler TYPE: DEMO http://www.examskey.com/gcih.html Examskey GIAC GCIH exam demo product is here for you to test the quality of the product. This GIAC GCIH demo also
More informationDNS. Karst Koymans & Niels Sijm. Friday, September 14, Informatics Institute University of Amsterdam
DNS Karst Koymans & Niels Sijm Informatics Institute University of Amsterdam Friday, September 14, 2012 Karst Koymans & Niels Sijm (UvA) DNS Friday, September 14, 2012 1 / 32 1 DNS on the wire 2 Zone transfers
More informationAnalyzing Huge Data for Suspicious Traffic. Christian Landström, Airbus DS
Analyzing Huge Data for Suspicious Traffic Christian Landström, Airbus DS Topics - Overview on security infrastructure - Strategies for network defense - A look at malicious traffic incl. Demos - How Wireshark
More informationTanium Endpoint Detection and Response. (ISC)² East Bay Chapter Training Day July 13, 2018
Tanium Endpoint Detection and Response (ISC)² East Bay Chapter Training Day July 13, 2018 $> WhoamI 11 Years of Security Experience Multiple Verticals (Technology, Industrial, Healthcare, Biotech) 9 Years
More informationFinding a needle in Haystack: Facebook's photo storage
Finding a needle in Haystack: Facebook's photo storage The paper is written at facebook and describes a object storage system called Haystack. Since facebook processes a lot of photos (20 petabytes total,
More informationCisco s Appliance-based Content Security: IronPort and Web Security
Cisco s Appliance-based Content Security: IronPort E-mail and Web Security Hrvoje Dogan Consulting Systems Engineer, Security, Emerging Markets East 2010 Cisco and/or its affiliates. All rights reserved.
More informationDNS Security. Ch 1: The Importance of DNS Security. Updated
DNS Security Ch 1: The Importance of DNS Security Updated 8-21-17 DNS is Essential Without DNS, no one can use domain names like ccsf.edu Almost every Internet communication begins with a DNS resolution
More informationProtect Session B10039 ArcSight Activate Threat Intelligence Packages
Protect2016 - Session B10039 ArcSight Activate Threat Intelligence Packages Time to stop reinventing the wheel Prepared by SEMplicity & HPE George A. Boitano 617-524-0171 gboitano@semplicityinc.com Yun
More informationManaging Caching DNS Server
This chapter explains how to set the Caching DNS server parameters. Before you proceed with the tasks in this chapter, see Introduction to the Domain Name System which explains the basics of DNS. Configuring
More informationDNS Firewall with Response Policy Zone. Suman Kumar Saha bdcert Amber IT Limited
DNS Firewall with Response Policy Zone Suman Kumar Saha bdcert suman@bdcert.org Amber IT Limited suman@amberit.com.bd DNS Response Policy Zone(RPZ) as Firewall RPZ allows a recursive server to control
More informationBase64 The Security Killer
Base64 The Security Killer Kevin Fiscus NWN Corporation Session ID: DAS-203 Session Classification: Intermediate A Short (Made Up) Security Story Helix Pharmaceuticals is concerned about security Industrial
More informationDNS: Useful tool or just a hammer? Paul DNS-OARC 06 Oct 2013, Phoenix
DNS: Useful tool or just a hammer? Paul Ebersman pebersman@infoblox.com, @paul_ipv6 DNS-OARC 06 Oct 2013, Phoenix 1 Attacking your cache 2 Recursion DNS queries are either recursive or nonrecursive recursive
More informationAvoiding Information Overload: Automated Data Processing with n6
Avoiding Information Overload: Automated Data Processing with n6 Paweł Pawliński pawel.pawlinski@cert.pl 26th annual FIRST conference Boston, June 23rd 2014 Who we are part of national CERT for Poland
More informationLecture 12. Application Layer. Application Layer 1
Lecture 12 Application Layer Application Layer 1 Agenda The Application Layer (continue) Web and HTTP HTTP Cookies Web Caches Simple Introduction to Network Security Various actions by network attackers
More informationComputer Networking Introduction
Computer Networking Introduction Halgurd S. Maghdid Software Engineering Department Koya University-Koya, Kurdistan-Iraq Lecture No.3 Chapter 1: roadmap 1.1 what is the Internet? 1.2 network edge end systems,
More informationDocumentation for: MTA developers
This document contains implementation guidelines for developers of MTA products/appliances willing to use Spamhaus products to block as much spam as possible. No reference is made to specific products.
More informationSecurity Gap Analysis: Aggregrated Results
Email Security Gap Analysis: Aggregrated Results Average rates at which enterprise email security systems miss spam, phishing and malware attachments November 2017 www.cyren.com 1 Email Security Gap Analysis:
More informationDistributed Systems Principles and Paradigms. Chapter 12: Distributed Web-Based Systems
Distributed Systems Principles and Paradigms Maarten van Steen VU Amsterdam, Dept. Computer Science steen@cs.vu.nl Chapter 12: Distributed -Based Systems Version: December 10, 2012 Distributed -Based Systems
More informationChapter 2 Malicious Networks for DDoS Attacks
Chapter 2 Malicious Networks for DDoS Attacks Abstract In this chapter, we explore botnet, the engine of DDoS attacks, in cyberspace. We focus on two recent techniques that hackers are using to sustain
More informationCISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1
CISCO BORDERLESS NETWORKS 2009 Cisco Systems, Inc. All rights reserved. 1 Creating New Business Models The Key Change: Putting the Interaction Where the Customer Is Customer Experience/ Innovation Productivity/
More informationInformation Retrieval Spring Web retrieval
Information Retrieval Spring 2016 Web retrieval The Web Large Changing fast Public - No control over editing or contents Spam and Advertisement How big is the Web? Practically infinite due to the dynamic
More informationPassive Detection of Misbehaving Name Servers
Passive Detection of Misbehaving Name Servers Based on CMU/SEI-2013-TR-010 Jonathan Spring, Leigh Metcalf netsa-contact (AT) cert.org Flocon 2014, Charleston SC 2014 Carnegie Mellon University Copyright
More informationConfiguring the Botnet Traffic Filter
CHAPTER 46 Malware is malicious software that is installed on an unknowing host. Malware that attempts network activity such as sending private data (passwords, credit card numbers, key strokes, or proprietary
More informationSpam Protection Guide
Spam Email Protection Guide Version 1.0 Last Modified 5/29/2014 by Mike Copening Contents Overview of Spam at RTS... 1 Types of Spam... 1 Spam Tricks... 2 Imitation of 3 rd Party Email Template... 2 Spoofed
More informationA Review Paper on Network Security Attacks and Defences
EUROPEAN ACADEMIC RESEARCH Vol. IV, Issue 12/ March 2017 ISSN 2286-4822 www.euacademic.org Impact Factor: 3.4546 (UIF) DRJI Value: 5.9 (B+) A Review Paper on Network Security Attacks and ALLYSA ASHLEY
More informationIPv6 Traffic Hijack Test System and Defense Tools Using DNSSEC
IPv6 Traffic Hijack Test System and Defense Tools Using DNSSEC Lin Tao lintao850711@sina.com Liu Wu liuwu@cernet.edu.cn Duan Haixin dhx@cernet.edu.cn Sun Donghong sdh@cernet.edu.cn Abstract IPv6 is widely
More informationIntroduction to Security. Computer Networks Term A15
Introduction to Security Computer Networks Term A15 Intro to Security Outline Network Security Malware Spyware, viruses, worms and trojan horses, botnets Denial of Service and Distributed DOS Attacks Packet
More informationdeseo: Combating Search-Result Poisoning Yu USF
deseo: Combating Search-Result Poisoning Yu Jin @MSCS USF Your Google is not SAFE! SEO Poisoning - A new way to spread malware! Why choose SE? 22.4% of Google searches in the top 100 results > 50% for
More informationECE 435 Network Engineering Lecture 7
ECE 435 Network Engineering Lecture 7 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 25 September 2018 HW#3 was Posted Announcements 1 HW#2 Review C code will be discussed next
More informationAgenda. Review DNS Fundamentals DNS Security Summary 1/22
Agenda Review DNS Fundamentals DNS Security Summary 1/22 Which of the following is NOT a commonly used routing metric? A. Hop count B. Bandwidth C. Delay D. Destination s IP address E. Reliability of links
More informationCroatian National CERT ACDC project Darko Perhoc, Head of National CERT CISSP, CEH, CCNP Security R&S,CCDP
Croatian National CERT ACDC project Darko Perhoc, Head of National CERT CISSP, CEH, CCNP Security R&S,CCDP Croatian National CERT (HR-CERT) mission: Promoting and preserving information security of public
More informationLocal DNS Attack Lab. 1 Lab Overview. 2 Lab Tasks (Part I): Setting Up a Local DNS Server. SEED Labs Local DNS Attack Lab 1
SEED Labs Local DNS Attack Lab 1 Local DNS Attack Lab Copyright 2018 Wenliang Du, Syracuse University. The development of this document was partially funded by the National Science Foundation under Award
More informationDNS. Introduction To. everything you never wanted to know about IP directory services
Introduction To DNS everything you never wanted to know about IP directory services Linux Users Victoria, April 3 rd 2007 what is the domain name system anyway? it's like a phone book...kinda DNS is (1)
More informationComputer Network Vulnerabilities
Computer Network Vulnerabilities Objectives Explain how routers are used to protect networks Describe firewall technology Describe intrusion detection systems Describe honeypots Routers Routers are like
More informationPope: Infrastructure for DNS Scanning
: Infrastructure for DNS Scanning 1 David Dagon 1 Luo Daniel Xiapu 1 1 {manos@cc,dagon@cc,xluo7@mail}.gatech.edu Georgia Institute of Technology Information Security Center Atlanta, Georgia OARC 2009 -
More informationThe Invisible Threat of Modern Malware Lee Gitzes, CISSP Comm Solutions Company
The Invisible Threat of Modern Malware Lee Gitzes, CISSP Comm Solutions Company November 12, 2014 Malware s Evolution Why the change? Hacking is profitable! Breaches and Malware are Projected to Cost $491
More informationCSC2231: DNS with DHTs
CSC2231: DNS with DHTs http://www.cs.toronto.edu/~stefan/courses/csc2231/05au Stefan Saroiu Department of Computer Science University of Toronto Administrivia Next lecture: P2P churn Understanding Availability
More informationDomain Name System.
Domain Name System http://xkcd.com/302/ CSCI 466: Networks Keith Vertanen Fall 2011 Overview Final project + presentation Some TCP and UDP experiments Domain Name System (DNS) Hierarchical name space Maps
More informationFighting Spam, Phishing and Malware With Recurrent Pattern Detection
Fighting Spam, Phishing and Malware With Recurrent Pattern Detection White Paper September 2017 www.cyren.com 1 White Paper September 2017 Fighting Spam, Phishing and Malware With Recurrent Pattern Detection
More informationTransport: How Applications Communicate
Transport: How Applications Communicate Week 2 Philip Levis 1 7 Layers (or 4) 7. 6. 5. 4. 3. 2. 1. Application Presentation Session Transport Network Link Physical segments packets frames bits/bytes Application
More informationMcAfee Network Security Platform 9.1
9.1.7.15-9.1.5.9 Manager-NS-series Release Notes McAfee Network Security Platform 9.1 Revision A Contents About this release New features Enhancements Resolved issues Installation instructions Known issues
More informationLocal DNS Attack Lab. 1 Lab Overview. 2 Lab Environment. 2.1 Install and configure the DNS server. SEED Labs Local DNS Attack Lab 1
SEED Labs Local DNS Attack Lab 1 Local DNS Attack Lab Copyright c 2006-2015 Wenliang Du, Syracuse University. The development of this document is partially funded by the National Science Foundation s Course,
More informationIPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions
IPS Effectiveness IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions An Intrusion Prevention System (IPS) is a critical layer of defense that helps you protect
More informationConfiguring Botnet Traffic Filtering Using Cisco Security Manager 4.0
Configuring Botnet Traffic Filtering Using Cisco Security Manager 4.0 First Published: June 2010 Abstract Botnets are a collection of malicious software or bots covertly installed on endpoints and controlled
More informationBOTNET-GENERATED SPAM
BOTNET-GENERATED SPAM By Areej Al-Bataineh University of Texas at San Antonio MIT Spam Conference 2009 www.securitycartoon.com 3/27/2009 Areej Al-Bataineh - Botnet-generated Spam 2 1 Botnets: A Global
More informationReal-Time Detection of Fast Flux Service Networks
Cybersecurity Applications & Technology Conference For Homeland Security Real-Time Detection of Fast Flux Service Networks Alper Caglayan, Mike Toothaker, Dan Drapeau, Dustin Burke and Gerry Eaton Milcord
More informationRelease Notes for Cisco IronPort AsyncOS 7.7 for Security Management
Release Notes for Cisco IronPort AsyncOS 7.7 for Security Management Published: February 15, 2012 Revised: April 9, 2012 Contents This document contains information for Cisco IronPort AsyncOS 7.7 for Security
More informationMcAfee Network Security Platform 8.3
8.3.7.28-8.3.3.9 Manager-Mxx30-series Release Notes McAfee Network Security Platform 8.3 Revision C Contents About this release New features Enhancements Resolved issues Installation instructions Known
More informationCAMELOT Configuration Overview Step-by-Step
General Mode of Operation Page: 1 CAMELOT Configuration Overview Step-by-Step 1. General Mode of Operation CAMELOT consists basically of three analytic processes running in a row before the email reaches
More informationProtect vital DNS assets and identify malware
N2 THREATAVERT Protect vital DNS assets and identify malware Service Providers recognize network security drives brand equity because it directly impacts subscriber satisfaction. Secure networks are also
More informationProtecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper
Protecting DNS Critical Infrastructure Solution Overview Radware Attack Mitigation System (AMS) - Whitepaper Table of Contents Introduction...3 DNS DDoS Attacks are Growing and Evolving...3 Challenges
More informationSymantec & Blue Coat Technical Update Webinar 29. Juni 2017
Avantec Blue Coat/Symantec Webinar Jean Marc Edder Senior Systems Engineer The Global Leader in Cyber Network + + Cloud Global market leader in Endpoint, Email, Data Loss Prevention and Website, User Authentication
More informationKaspersky Security Network
The Kaspersky Security Network (KSN) is a complex distributed infrastructure dedicated to intelligently processing cybersecurity-related data streams from millions of voluntary participants around the
More informationTestBraindump. Latest test braindump, braindump actual test
TestBraindump http://www.testbraindump.com Latest test braindump, braindump actual test Exam : CS0-001 Title : CompTIA Cybersecurity Analyst (CySA+) Exam Vendor : CompTIA Version : DEMO Get Latest & Valid
More informationFinding the Linchpins of the Dark Web: A Study on Topologically Dedicated Hosts on Malicious Web Infrastructures
Finding the Linchpins of the Dark Web: A Study on Topologically Dedicated Hosts on Malicious Web Infrastructures Zhou Li, Indiana University Bloomington Sumayah Alrwais, Indiana University Bloomington
More informationTOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS
TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS 1 Introduction Your data and infrastructure are at the heart of your business. Your employees, business partners, and
More informationIOActive Security Advisory
IOActive Security Advisory Title Authors DNS TXT Record Parsing Bug in LibSPF2 Dan Kaminsky Date Reported October 21, 2008 Author Dan Kaminsky Abstract A relatively common bug that parses TXT records delivered
More informationPROTECTING YOUR BUSINESS ASSETS
PROTECTING YOUR BUSINESS ASSETS How to Spot Danger Before Your Computer Gets Infected, Your Site Hosts Malware, and Your Credit Card Number Gets Stolen A MyNAMS Presentation by Regina Smola @2012 Regina
More informationWE POWER YOUR MOBILE WORLD ENUM INTEGRATION MANUAL
ENUM INTEGRATION MANUAL 1 CONTENTS INTRODUCTION... 3 CONNECTIVITY... 3 TECHNICAL SPECIFICATION... 4 Valid format for ENUM server query... 4 ENUM server responses... 6 ENUM responses in case of error processing
More informationBehavior Based Malware Analysis: A Perspective From Network Traces and Program Run-Time Structure
Behavior Based Malware Analysis: A Perspective From Network Traces and Program Run-Time Structure Chun-Ying Huang chuang@ntou.edu.tw Assistant Professor Department of Computer Science and Engineering National
More informationInformation Retrieval May 15. Web retrieval
Information Retrieval May 15 Web retrieval What s so special about the Web? The Web Large Changing fast Public - No control over editing or contents Spam and Advertisement How big is the Web? Practically
More informationMonitoring the Device
The system includes dashboards and an Event Viewer that you can use to monitor the device and traffic that is passing through the device. Enable Logging to Obtain Traffic Statistics, page 1 Monitoring
More informationIP Profiler. Tracking the activity and behavior of an IP address. Author: Fred Thiele (GCIA, CISSP) Contributing Editor: David Mackey (GCIH, CISSP)
Security Intelligence June 2005 IP Profiler Tracking the activity and behavior of an IP address Author: Fred Thiele (GCIA, CISSP) Contributing Editor: David Mackey (GCIH, CISSP) Page 2 Contents 3 Profiling
More informationSmart Protection Network. Raimund Genes, CTO
Smart Protection Network Raimund Genes, CTO Overwhelmed by Volume of New Threats New unique samples added to AV-Test's malware repository (2000-2010) 20.000.000 18.000.000 16.000.000 14.000.000 12.000.000
More informationCounterACT Check Point Threat Prevention Module
CounterACT Check Point Threat Prevention Module Version 1.0.0 Table of Contents About the Check Point Threat Prevention Integration... 4 Use Cases... 4 Additional Check Point Threat Prevention Documentation...
More informationConfiguring and Monitoring the GeoDB
CHAPTER 8 This chapter describes how to implement the GeoIP database (GeoDB) proximity computation mechanism in GSS. From the latitudinal and longitudinal information in the GeoDB, GSS decides the proximity,
More informationDetect Cyber Threats with Securonix Proxy Traffic Analyzer
Detect Cyber Threats with Securonix Proxy Traffic Analyzer Introduction Many organizations encounter an extremely high volume of proxy data on a daily basis. The volume of proxy data can range from 100
More informationA Comprehensive CyberSecurity Policy
A Comprehensive CyberSecurity Policy Review of ALL NGFW Capabilities Attack Surface Reduction From Complex to Comprehensive Before and After of a PANW customer 1 2 1 Enhanced Policy on the L7 layer Leverage
More informationFile Reputation Filtering and File Analysis
This chapter contains the following sections: Overview of, page 1 Configuring File Reputation and Analysis Features, page 5 File Reputation and File Analysis Reporting and Tracking, page 14 Taking Action
More informationReduce Your Network's Attack Surface
WHITE PAPER Reduce Your Network's Attack Surface Ixia's ThreatARMOR Frees Up Security Resources and Personnel The Threat Landscape When you re dealing with network security, one of the primary measurements
More informationThe Crossed Swords wargame: Catching NATO red teams with cyber deception
The Crossed Swords wargame: Catching NATO red teams with cyber deception 2015-2018 Cymmetria Inc. All rights reserved. 2 BACKSTORY Once a year, the pentesters* and red teams of the countries of NATO descend
More informationInternet Content Distribution
Internet Content Distribution Chapter 1: Introduction Jussi Kangasharju Chapter Outline Introduction into content distribution Basic concepts TCP DNS HTTP Outline of the rest of the course Kangasharju:
More informationContent Distribution. Today. l Challenges of content delivery l Content distribution networks l CDN through an example
Content Distribution Today l Challenges of content delivery l Content distribution networks l CDN through an example Trends and application need " Some clear trends Growing number of and faster networks
More informationTracking Messages. Message Tracking Overview. Enabling Message Tracking. This chapter contains the following sections:
This chapter contains the following sections: Message Tracking Overview, page 1 Enabling Message Tracking, page 1 Searching for Messages, page 2 Working with Message Tracking Search Results, page 4 Checking
More informationConfigure WSA to Upload Log Files to CTA System
Configure WSA to Upload Log Files to CTA System Last updated: April 19, 2018 Conventions Introduction Prerequisites Requirements Components Used Configure Configure the Proxy Connect to Active Directory
More informationADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY
ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY OUTLINE Advanced Threat Landscape (genv) Why is endpoint protection essential? Types of attacks and how to prevent them
More informationLuminous: Bringing Big(ger) Data to the Fight
Luminous: Bringing Big(ger) Data to the Fight Norm Ritchie Drew Bagley ICANN Helsinki June, 2016 Secure Domain Foundation Non-profit Founded in 2014 Proactive mitigation of malicious domains used for cybercrime
More informationDO NOT OPEN UNTIL INSTRUCTED
CS 378 - Network Security and Privacy Spring 2017 FINAL May 3, 2017 DO NOT OPEN UNTIL INSTRUCTED YOUR NAME: Collaboration policy No collaboration is permitted on this exam. Any cheating (e.g., submitting
More informationActivating Intrusion Prevention Service
Activating Intrusion Prevention Service Intrusion Prevention Service Overview Configuring Intrusion Prevention Service Intrusion Prevention Service Overview Intrusion Prevention Service (IPS) delivers
More information