Explore a comprehensive approach to investigating and combating cybercrime in this Black Hat conference talk. Learn about strategies focusing on network attack surfaces and actor perspectives, including analysis of hosting IP space, DNS traffic, open ports, BGP announcements, ASN peerings, and SSL certificates. Discover methods for tracking trends, motivations, and TTPs of cyber criminals through infiltration of underground forums. Examine two types of bulletproof hosting infrastructures used in crimeware campaigns: fast flux proxy networks and dedicated servers from rogue hosting companies. Gain insights into using DNS traffic analysis, passive DNS mining algorithms, and novel methods leveraging SSL data to detect and map malware domains and compromised hosts. Understand how to proactively bridge the gap between actor and network views by identifying and blocking IP spaces of bulletproof hosters. Learn about the backend architecture using HBase and ElasticSearch for indexing and searching vast quantities of global Internet metadata to support threat research.
Towards a Holistic Approach in Building Intelligence to Fight Crimeware
Overview
Syllabus
Welcome
Introduction
Thomas Mathieu
Outline
What is cybercrime
Bulletproof hosting providers
SSL
Autonomous Systems
Actor View
Network View
SSL Analysis
Trustworthy Domains
Abdullah
Maxidead
Host Shield
OutHost
FastFox
UberGrants
ElfHost
Other Competitors
Sosweet
Dataflow
Badnesses
Xserve
BQHost
OurRacks
SSL Investigation
Data Source
Three Components
Data Platform Architecture
HBase
Row Key
Questions
What is a Deep Table
Why Elastic Search
Elastic Search Demo
Taught by
Black Hat
