search menu icon-carat-right cmu-wordmark

Subject: Network Situational Awareness

DGA Domains with SSL Certificates?  Why?

DGA Domains with SSL Certificates? Why?

• CERT/CC Blog
Leigh Metcalf

CertStream is a free service for getting information from the Certificate Transparency Log Network. I decided to investigate the presence of domains generated by Domain Generation Algorithms (DGA) in this stream and I found some intersting phenomena....

Read More
Cache Poisoning of Mail Handling Domains Revisited

Cache Poisoning of Mail Handling Domains Revisited

• CERT/CC Blog
Leigh Metcalf

In 2014 we investigated cache poisoning and found some in some damaging places, like mail-handling domains. It can't be assumed behaviors on the internet continue unchanged, so I wanted to repeat the measurement. I used our same passive DNS data source and the same method, but now four years later, to investigate this question....

Read More
Declaring War on Cyber Terrorism...or Something Like That

Declaring War on Cyber Terrorism...or Something Like That

• CERT/CC Blog
Leigh Metcalf

This post is co-authored by Deana Shick, Eric Hatleback and Leigh Metcalf Buzzwords are a mainstay in our field, and "cyberterrorism" currently is one of the hottest. We understand that terrorism is an idea, a tactic for actor groups to execute their own operations. Terrorists are known to operate in the physical world, mostly by spreading fear with traditional and non-traditional weaponry. As information security analysts, we also see products where "terrorists" are ranked in...

Read More
Persistent Little IP, Aren't You?

Persistent Little IP, Aren't You?

• CERT/CC Blog
Donald McKeon

What does it mean to say that an indicator is exhibiting persistent behavior? This is a question that Timur, Angela, and I have been asking each other for the past couple of months. In this blog post, we show you the analytics that we believe identify persistent behavior and how that identification can be used to identify potential threats as well as help with network profiling....

Read More
Choosing the History for a Profile in Simple Network Flow Anomaly Detection

Choosing the History for a Profile in Simple Network Flow Anomaly Detection

• CERT/CC Blog
Angela Horneman

One of my responsibilities on the Situational Awareness Analysis team is to create analytics for various purposes. For the past few weeks, I've been working on some anomaly detection analytics for hunting in the network flow traffic of common network services. I decided to start with a very simple approach using mean and standard deviation for a historical period to create a profile that I could compare against current volumes. To do this, I planned...

Read More
Border Gateway Protocol Update Metric Analysis

Border Gateway Protocol Update Metric Analysis

• CERT/CC Blog
Leigh Metcalf

MRT is a file format used in BGP; in particular, it is used when the router writes updates into a log file. There are many programs out there for parsing these files, but I'm going to talk about a new program created at the CERT Division for searching the files. The program is designed to find routes that affect a given set of CIDR blocks, and to do it quickly....

Read More
Domain Blacklist Ecosystem - A Case Study

Domain Blacklist Ecosystem - A Case Study

• CERT/CC Blog
Jonathan Spring

Hi all, this is Jonathan Spring with my colleagues Leigh Metcalf and Rhiannon Weaver. We've been studying the dynamics of the Internet blacklist ecosystem for a few years now and the 2015 Verizon Data Breach Investigations Report has corroborated our general results. We get a lot of questions about which list is which and if we can recommend a list. We won't reveal which is which generally, but in this blog post we'll make a...

Read More
Baseline Network Flow Examples

Baseline Network Flow Examples

• CERT/CC Blog
Angela Horneman

Hi. This is Angela Horneman of the SEI's Situational Awareness team. I've generated service specific network flows to use as baseline examples for network analysis and am sharing them since others may find them helpful. We have been looking at implementing Network Profiling in Analysis Pipeline to automatically generate lists of active servers and to alert when new IPs start acting as servers. As part of this initiative, we started looking at alternatives to using...

Read More
Blacklist Ecosystem Analysis

Blacklist Ecosystem Analysis

• CERT/CC Blog
Jonathan Spring

Hi all. Leigh Metcalf and I have been continuing our study of the cybersecurity ecosystem. Last year we published a long white paper telling you everything you wanted to know about blacklists. Turns out, that did not save the Internet on its own. We're extending that analysis with more blacklist ecosystem analysis this year....

Read More
Domain Name Parking

Domain Name Parking

• CERT/CC Blog
Jonathan Spring

Hello, this is Jonathan Spring with my colleague Leigh Metcalf. Today, we're releasing a CERT/CC whitepaper on our investigations into domain name parking. The title summarizes our findings neatly: "Domain Parking: Not as Malicious as Expected." First, let's review some definitions to make sure we're all on the same page. Domain parking is the practice of assigning a nonsense location to a domain when it is not in use to keep it ready for "live"...

Read More
Domain Blocking: The Problem of a Googol of Domains

Domain Blocking: The Problem of a Googol of Domains

• CERT/CC Blog
Jonathan Spring

Hi all, this is Jonathan Spring. I've written a bit about some challenges with blacklisting, such as about the dynamics of domain take-down: why e-crime pays (domains are so cheap it almost always pays) and comparisons among blacklists (they are largely disjoint, calling into question comprehensiveness)....

Read More
A Subversive Use of SiLK

A Subversive Use of SiLK

• CERT/CC Blog
Leigh Metcalf

Hi, this is Leigh Metcalf. In this blog post I talk about a subversive use of SiLK, the open-source tool suite designed by the CERT/CC team at the SEI, available on the CERT website. This post is a technical walk through of how to use the SiLK tools to support analysis in interesting ways you may not have thought of....

Read More
Probable Cache Poisoning of Mail Handling Domains

Probable Cache Poisoning of Mail Handling Domains

• CERT/CC Blog
Jonathan Spring

Hi, this is Jonathan Spring with my colleague Leigh Metcalf. For some time now, we've been working through a problem we found, but it's time to discuss it more broadly. Using our passive DNS data source, we can observe cache poisoning. What we really observe are changes in the answers that are returned for certain domains, but after consulting with various experts, we believe the only behavior these changes indicate is a successful cache poisoning...

Read More
Investigating Advanced Persistent Threat 1

Investigating Advanced Persistent Threat 1

• CERT/CC Blog
Deana Shick

Hi this is Deana Shick and Angela Horneman from the Threat Analysis and Situational Awareness teams. In this post we introduce our recently published technical report Investigating Advanced Persistent Threat 1, which shows the value of combining several unclassified datasets to explore known indicators of compromise (IOC)....

Read More
10 Years of FloCon

10 Years of FloCon

• CERT/CC Blog
George Jones

Hi, this is George Jones, I was conference chair of the 10th annual FloCon Conference that was held in Charleston, South Carolina, January 13-16, 2014. Check out the FloCon proceedings to learn about the work presented, and consider participating in future FloCons....

Read More
Practical Math for Your Security Operations - Part 3 of 3

Practical Math for Your Security Operations - Part 3 of 3

• CERT/CC Blog
Vijay Sarvepalli

Hi, this is Vijay Sarvepalli, security solutions engineer in the CERT Division again. In the earlier blog entries for this series, I introduced set theory and standard deviation. This blog entry is about entropy, a physics principle that has made its way into many mathematical applications. Entropy has been applied in many informational science topics. In this blog post, I introduce a way to use entropy to detect anomalies in network communications patterns....

Read More
Analyzing Routing Tables

Analyzing Routing Tables

• CERT/CC Blog
Timur Snoke

Hi, Timur Snoke here with a description of maps I've developed that use Border Gateway Protocol routing tables to show the evolution of public-facing autonomous system numbers. Organizations that route public internet protocol (IP) addresses receive autonomous system numbers (ASNs), which uniquely identify networks on the Internet. To coordinate traffic between ASNs, the Border Gateway Protocol (BGP) advertises available routing paths that network traffic could take to access other IP addresses. BGP tables select and...

Read More
Working with the Internet Census 2012

Working with the Internet Census 2012

• CERT/CC Blog
Timur Snoke

Hi, it's Timur Snoke of the CERT NetSA group, posting on behalf of Deana Shick and Angela Horneman. It's not every day that 9.6 terabytes of data is released into the public domain for further research. The Internet Census 2012 project scanned the entire IPv4 address space using the Nmap Scripting Engine(NSE) between March and December of 2012. The engineer of this data set (identity unknown) saved and released the collected data in early 2013....

Read More
Practical Math for Your Security Operations - Part 2 of 3

Practical Math for Your Security Operations - Part 2 of 3

• CERT/CC Blog
Vijay Sarvepalli

Hi, this is Vijay Sarvepalli, Security Solutions Engineer in the CERT Division again. In my earlier blog post, I offered some ideas for applying set theory in your SOC (Security Operations Center). This time I introduce you to statistics, specifically standard deviation. Mathematical terms such as standard deviation can seem mysterious for daily security operations. However, I've provided some simple examples to help you analyze network security data using this measurement....

Read More
Practical Math for Your Security Operations - Part 1 of 3

Practical Math for Your Security Operations - Part 1 of 3

• CERT/CC Blog
Vijay Sarvepalli

Hi, this is Vijay Sarvepalli, Security Solutions Engineer in the CERT Division. Mathematics is part of your daily tasks if you're a security analyst. In this blog post series, I'll explore some practical uses of math in your SOC (Security Operations Center). This pragmatic approach will hopefully help enhance your use of mathematics for network security....

Read More
A ccTLD Case Study: .tv

A ccTLD Case Study: .tv

• CERT/CC Blog
Leigh Metcalf

Hello, this is Leigh Metcalf and Jonathan Spring. In this post, we first examine some of the usage patterns in the .tv top-level DNS zone via passive DNS. In the second half of the post, we explore the economic importance of the .tv domain to its owner, the small South Pacific island nation of Tuvalu. Combining these two analyses, it seems that suspicious domain names could be one of Tuvalu's more valuable exports....

Read More
Finding Patterns of Malicious Use in Bulk Registrations

Finding Patterns of Malicious Use in Bulk Registrations

• CERT/CC Blog
Leigh Metcalf

Hi, this is Leigh Metcalf with my colleague Jonathan Spring. In 2011, .co.cc [1] and .co.tv [2] were removed from Google's search results because of the high incidence of malicious domains (.cc is the TLD for the Cocos Islands and .tv is the TLD for Tuvalu). Neither of these domains is an official TLD of its respective country of origin, but is a zone in which the owner happens to make single subdomains freely available...

Read More
GeoIP in Your SOC (Security Operations Center)

GeoIP in Your SOC (Security Operations Center)

• CERT/CC Blog
Vijay Sarvepalli

Hi, this is Vijay Sarvepalli, Security Solutions Engineer in the CERT Program. Today, whether you're shopping for a new house or trying to find a babysitter, you end up using Google maps or a similar service to assist your decision making. In this blog post, I discuss GeoIP capabilities that can be built into your SOC to provide a spatial view of your network threats and how this view can help your network situational awareness....

Read More
Second Level Domain Usage in 2012 for Common Top Level Domains

Second Level Domain Usage in 2012 for Common Top Level Domains

• CERT/CC Blog
Leigh Metcalf

Hi, this is Leigh Metcalf with my colleague Jonathan Spring. Here is a look at second level domain (SLD) usage in 2012 for the most common generic Top Level Domains (gTLDs): biz, com, info, mobi, net, and org. We used two data sources: (1)the master zone files (RFC 1035 sec. 5) and (2) the SIE (http://sie.isc.org), a passive DNS data source. From these sources we examined three features of global gTLD usage--the number registered, the...

Read More
The Growth of IPv6 Announcements

The Growth of IPv6 Announcements

• CERT/CC Blog
Leigh Metcalf

Hi, this is Leigh Metcalf again with my colleague Rhiannon Weaver. IPv6, the replacement for IPv4, has been heavily marketed. To consider exactly how popular IPv6 is on the internet, one method is to examine the number of autonomous systems (ASes) that announce IPv6....

Read More
An Alternate View of Announced IPv4 Space

An Alternate View of Announced IPv4 Space

• CERT/CC Blog
Leigh Metcalf

In my previous post, I examined the total amount of IPv4 space announced and presented cumulative graphics. While this view is useful in determining how much IPv4 space is announced, it doesn't say much about which IPv4 space is announced....

Read More
The Growth Rate of IP Addresses That Are Advertised as Usable on the Internet

The Growth Rate of IP Addresses That Are Advertised as Usable on the Internet

• CERT/CC Blog
Leigh Metcalf

Hi, this is Leigh Metcalf of the Network Situational Awareness Team. Recently, I have been considering the amount of IPv4 space that is announced on the Internet. All blocks have been allocated, but how many are actually being used? To investigate this, I examined the routing tables to determine which networks were announced on the internet as usable from January 1, 2009 through December 31, 2012....

Read More
Watching Domains That Change DNS Servers Frequently

Watching Domains That Change DNS Servers Frequently

• CERT/CC Blog
Leigh Metcalf

Hello, this is Leigh Metcalf of the CERT Network Situational Awareness (NetSA) Team. Timur Snoke and I have discovered some interesting results in our continuing examination of the public Domain Name System (DNS). Our work has been focusing on domains that change their name servers frequently....

Read More
The Report

The Report "Network Profiling Using Flow" Released

• CERT/CC Blog
Austin Whisnant

Hi, this is Austin Whisnant of the CERT Network Situational Awareness Team (NetSA). After a long time in the making, NetSA has published an SEI technical report on how to inventory assets on a network using network flow data. Knowing what assets are on your network, especially those visible to outsiders, is an important step in gaining network situational awareness....

Read More
CNAME flux

CNAME flux

• CERT/CC Blog
Jonathan Spring

Hello this is Jonathan Spring. Recently, Leigh Metcalf and I uncovered some interesting results in our continuing work on properties of the Domain Name System (DNS). Our work involves an unconventional use of CNAME (canonical name) records. Besides an IP address, CNAME records are the only other location a domain may have in the DNS. Instead of an IP address, a CNAME record is a redirection or alias service that points to another name....

Read More
Challenges in Network Monitoring above the Enterprise

Challenges in Network Monitoring above the Enterprise

• CERT/CC Blog
Jonathan Spring

Recently George Jones and I attended USENIX Security '11. We hosted an evening Birds of a Feather (BoF) session where we asked a question of some significance to our CERT® Network Situational Awareness (NetSA) group: Is Large-Scale Network Security Monitoring Still Worth the Effort? One of the foundational principles behind most organizations' network security practices is still "defense in depth," which is implemented using a variety of security controls and monitoring at different locations...

Read More

"Network Monitoring for Web-Based Threats" Released

• CERT/CC Blog
Sid Faber

The CERT Network Situational Awareness (NetSA) team has published an SEI technical report on monitoring web-based threats. The report draws on related work such as OWASP but comes from a different point of view. While OWASP is focused on developing web applications securely, this report focuses more on situations where you don't have that control, but you need to protect servers and clients from web-based threats. The report may help you answer the following...

Read More
Blog Reorganization

Blog Reorganization

• CERT/CC Blog
Chad Dougherty

Hi, folks. As you can see, we've changed the name of the Vulnerability Analysis Blog to the CERT/CC Blog. With this name change, we're expanding the focus of the blog to include content from other technical teams. The current RSS and Atom feeds will continue to work, but you may want to update to the corresponding new feed location now (RSS, Atom) in order to avoid any problems in the future. Past blog entries will...

Read More
Study of Malicious Domain Names: TLD Distribution

Study of Malicious Domain Names: TLD Distribution

• CERT/CC Blog
Chad Dougherty

Hello, folks. This post comes to you courtesy of Aaron Shelmire from the Network Situational Awareness team. Aaron writes: Recently the Network Situational Awareness team at CERT has been researching the characteristics of malicious network touchpoints. The findings of this initial research are very telling as to the true state of security on the internet....

Read More
Conficker.C: How Many Are There?

Conficker.C: How Many Are There?

• CERT/CC Blog
Sid Faber

Hello, Sid Faber from the Network Situational Awareness group at CERT. Like just about everyone else, we've been following the Conficker worm for a while and thought some updated stats on the Conficker.C variant might be useful....

Read More