ripple effect (preso @s4)

Ripple EffectAlgorithmic Threat

Intelligence & ContainmentPing @OpenDNS.com

Ping

Came from China Was in U. of Arizona graduate school

Data mining, Machine learningInfoSec

Agenda

DNS transactions

The Ripple Effect

Case study - Cryptolocker

Demo

More IP, AS intel, the present and the past?

What is this traffic spikes all about?

What are all these weird stuff that one was requesting?

The Ripple Effect

The process of searching the newer and the unknown, … starting from the seeding intelligence

Cryptolocker DGA

1. Infection2. retrieve encryption key from CnC3. encrypt data files 4. collect money!

IP CnC fails quickly! DGA kicks in !

I don’t know the DGA!!!

https://sgraph.umbrella.com/domain-view/name/xvaxsxbptmerjb.com/view




Demohttp://labs.umbrella.com/wp-content/uploads/2013/09/cyl.gif

load https://sgraph.umbrella.com/thibault/Web/?name=xvaxsxbptmerjb.com

https://sgraph.umbrella.com/thibault/Web/?name=xvaxsxbptmerjb.com

https://sgraph.umbrella.com/thibault/Web/?name=xvaxsxbptmerjb.com

http://labs.umbrella.com/wp-content/uploads/2013/09/cyl.gif



The Algorithm

November 7th 144.76.192.13095.59.26.43

Beyond Cryptolocker

https://sgraph.umbrella.com/domain-view/name/o2i2394073g2oh2b34.com/view




QUESTIONS?

ripple effect (preso @s4)

Technology

cryptolocker https

cryptolocker dga

load https

ip cnc

dga kicks

demo http

seeding intelligence

data files