August 10, 2016 at 9:40 am #19823
Before detecting cyber threats, it is important to understand how they function and behave. Then, understanding the behavior, you can mount a defense with Kamanja.
Before we get to that level of detail, lets build up to it slowly. We understand cyber attacks and defense is an arms race, with escalation steps.
* ATTACK: The hackers use one of many methods to get a computer infected. The infected computer communicates back to a Command and Control (C&C) server to control to create a larger roBOT NETwork, or botnet. The C&C can use the botnet as their own a) their own cloud computing platform, b) identity theft, by sending back Personally Identifiable Information (PII) such as name, contact info, financial accounts, passwords, c) if in a company, laterally attack other employees to enlarge the infection, d) start a spambot, to infect more computers with spam.
* DEFENSE: Companies and security vendors create a “black list” of IP’s and websites to block, as known C&C servers.
* ATTACK: The hackers start switching C&C servers faster and faster.
* DEFENSE: The defenders build the black list faster and faster.
* ATTACK: The hackers start to use a C&C node for only 24 hours after registering the domain name. Then, after the 24 hours (or some short time), abandon it forever. How do they do this? They embed a DGA or Domain Name Generation program in the virus, in the infected computer. This is also called “domain fluxing” or “fast flux”, for the rapid IP domain name changes. See the 2007 Storm Worm for one example. The design is for each of the 100k infected computers in a botnet, to generate one of a FIXED LIST of 1,000 random domain names. On the C&C side, the black hat hacker registers one or a few new domains from the same FIXED LIST. Now, only a percentage of the computers in a given day may reach the C&C node for the current commands. However, the ones that do connect can communicate inside the firewall laterally to ALL the other infected computers in the company (i.e. Target, Sony, ..).
* DEFENSE: contact Ligadata at firstname.lastname@example.org. We can scan your weblogs, to identify which internal computers have reached out to a botnet. Would you like to share your botnet blacklist with others, with some domains that have not yet been activated?
- This topic was modified 1 year, 4 months ago by Greg Makowski.