CertStream is a free service for getting information from the Certificate Transparency Log Network. I decided to investigate the presence of domains generated by Domain Generation Algorithms (DGA) in this stream and I found some intersting phenomena.
In 2014 we investigated cache poisoning and found some in some damaging places, like mail-handling domains. It can't be assumed behaviors on the internet continue unchanged, so I wanted to repeat the measurement. I used our same passive DNS data source and the same method, but now four years later, to investigate this question.
This post is co-authored by Deana Shick, Eric Hatleback and Leigh Metcalf
Buzzwords are a mainstay in our field, and "cyberterrorism" currently is one of the hottest. We understand that terrorism is an idea, a tactic for actor groups to execute their own operations. Terrorists are known to operate in the physical world, mostly by spreading fear with traditional and non-traditional weaponry. As information security analysts, we also see products where "terrorists" are ranked in terms of sophistication, just like any other cyber threat actor group. But how does the definition of "terrorism" change when adding the complexities of the Internet? What does the term "cyber terrorism" actually mean?
What does it mean to say that an indicator is exhibiting persistent behavior? This is a question that Timur, Angela, and I have been asking each other for the past couple of months. In this blog post, we show you the analytics that we believe identify persistent behavior and how that identification can be used to identify potential threats as well as help with network profiling.
One of my responsibilities on the Situational Awareness Analysis team is to create analytics for various purposes. For the past few weeks, I've been working on some anomaly detection analytics for hunting in the network flow traffic of common network services. I decided to start with a very simple approach using mean and standard deviation for a historical period to create a profile that I could compare against current volumes. To do this, I planned on binning network traffic by some length of time to find time periods with anomalous volumes. The question I then had to answer was, "How should I define the historical period?" In this post, I explain the process I used to answer that question.
MRT is a file format used in BGP; in particular, it is used when the router writes updates into a log file. There are many programs out there for parsing these files, but I'm going to talk about a new program created at the CERT Division for searching the files. The program is designed to find routes that affect a given set of CIDR blocks, and to do it quickly.
Hi all, this is Jonathan Spring with my colleagues Leigh Metcalf and Rhiannon Weaver. We've been studying the dynamics of the Internet blacklist ecosystem for a few years now and the 2015 Verizon Data Breach Investigations Report has corroborated our general results. We get a lot of questions about which list is which and if we can recommend a list. We won't reveal which is which generally, but in this blog post we'll make a small exception (with permission of course) in a case study to update the results.
Hi. This is Angela Horneman of the SEI's Situational Awareness team. I've generated service specific network flows to use as baseline examples for network analysis and am sharing them since others may find them helpful.
We have been looking at implementing Network Profiling in Analysis Pipeline to automatically generate lists of active servers and to alert when new IPs start acting as servers. As part of this initiative, we started looking at alternatives to using flags in the identification process, since not all collection methods capture TCP flag data. In this process, I looked for example network flows for verified services.
Hi all. Leigh Metcalf and I have been continuing our study of the cybersecurity ecosystem. Last year we published a long white paper telling you everything you wanted to know about blacklists. Turns out, that did not save the Internet on its own. We're extending that analysis with more blacklist ecosystem analysis this year.
Hello, this is Kate Meeuf of the SEI's Situational Awareness team. I'm pleased to announce the publication of the new technical report, Regional Use of Social Networking Tools, which explores regional preferences for social networking tools.
Hello, this is Jonathan Spring with my colleague Leigh Metcalf. Today, we're releasing a CERT/CC whitepaper on our investigations into domain name parking. The title summarizes our findings neatly: "Domain Parking: Not as Malicious as Expected."
First, let's review some definitions to make sure we're all on the same page. Domain parking is the practice of assigning a nonsense location to a domain when it is not in use to keep it ready for "live" use. When a domain is "parked" on an IP address, the IP address to which the domain resolves is inactive or otherwise not controlled by the same entity that controls the domain.
Hi all, this is Jonathan Spring. I've written a bit about some challenges with blacklisting, such as about the dynamics of domain take-down: why e-crime pays (domains are so cheap it almost always pays) and comparisons among blacklists (they are largely disjoint, calling into question comprehensiveness).
Hi, this is Leigh Metcalf. In this blog post I talk about a subversive use of SiLK, the open-source tool suite designed by the CERT/CC team at the SEI, available on the CERT website. This post is a technical walk through of how to use the SiLK tools to support analysis in interesting ways you may not have thought of.
Hi, this is Jonathan Spring with my colleague Leigh Metcalf. For some time now, we've been working through a problem we found, but it's time to discuss it more broadly. Using our passive DNS data source, we can observe cache poisoning. What we really observe are changes in the answers that are returned for certain domains, but after consulting with various experts, we believe the only behavior these changes indicate is a successful cache poisoning attack.
Hi this is Deana Shick and Angela Horneman from the Threat Analysis and Situational Awareness teams. In this post we introduce our recently published technical report Investigating Advanced Persistent Threat 1, which shows the value of combining several unclassified datasets to explore known indicators of compromise (IOC).
Hi, this is George Jones, I was conference chair of the 10th annual FloCon Conference that was held in Charleston, South Carolina, January 13-16, 2014. Check out the FloCon proceedings to learn about the work presented, and consider participating in future FloCons.
Hi, this is Vijay Sarvepalli, security solutions engineer in the CERT Division again. In the earlier blog entries for this series, I introduced set theory and standard deviation. This blog entry is about entropy, a physics principle that has made its way into many mathematical applications. Entropy has been applied in many informational science topics. In this blog post, I introduce a way to use entropy to detect anomalies in network communications patterns.
Hi, Timur Snoke here with a description of maps I've developed that use Border Gateway Protocol routing tables to show the evolution of public-facing autonomous system numbers.
Organizations that route public internet protocol (IP) addresses receive autonomous system numbers (ASNs), which uniquely identify networks on the Internet. To coordinate traffic between ASNs, the Border Gateway Protocol (BGP) advertises available routing paths that network traffic could take to access other IP addresses. BGP tables select and advertise the best routes for network traffic. Consequently, BGP data often provide better insight into traffic ownership than the physical or the logical layer. This blog post describes maps that I have developed that use BGP routing tables to represent the evolution of public-facing ASNs.
Hi, it's Timur Snoke of the CERT NetSA group, posting on behalf of Deana Shick and Angela Horneman. It's not every day that 9.6 terabytes of data is released into the public domain for further research. The Internet Census 2012 project scanned the entire IPv4 address space using the Nmap Scripting Engine(NSE) between March and December of 2012. The engineer of this data set (identity unknown) saved and released the collected data in early 2013. The data is broken down into seven types of scan results: ICMP ping, reverse DNS, service probes, host probes, syncscan queries, TCP/IP fingerprints, and traceroute.
Hi, this is Vijay Sarvepalli, Security Solutions Engineer in the CERT Division again. In my earlier blog post, I offered some ideas for applying set theory in your SOC (Security Operations Center). This time I introduce you to statistics, specifically standard deviation. Mathematical terms such as standard deviation can seem mysterious for daily security operations. However, I've provided some simple examples to help you analyze network security data using this measurement.
Hi, this is Vijay Sarvepalli, Security Solutions Engineer in the CERT Division. Mathematics is part of your daily tasks if you're a security analyst. In this blog post series, I'll explore some practical uses of math in your SOC (Security Operations Center). This pragmatic approach will hopefully help enhance your use of mathematics for network security.
Hello, this is Leigh Metcalf and Jonathan Spring. In this post, we first examine some of the usage patterns in the .tv top-level DNS zone via passive DNS. In the second half of the post, we explore the economic importance of the .tv domain to its owner, the small South Pacific island nation of Tuvalu. Combining these two analyses, it seems that suspicious domain names could be one of Tuvalu's more valuable exports.
Hi, this is Leigh Metcalf with my colleague Jonathan Spring. In 2011, .co.cc  and .co.tv  were removed from Google's search results because of the high incidence of malicious domains (.cc is the TLD for the Cocos Islands and .tv is the TLD for Tuvalu). Neither of these domains is an official TLD of its respective country of origin, but is a zone in which the owner happens to make single subdomains freely available and charge a nominal fee for bulk registrations. Similarly, an APWG report for the second half 2011 lists .tk, the TLD of the island of Tokulu, as the most common TLD used in phishing attacks. It also permits free domain registration.
Hi, this is Vijay Sarvepalli, Security Solutions Engineer in the CERT Program. Today, whether you're shopping for a new house or trying to find a babysitter, you end up using Google maps or a similar service to assist your decision making. In this blog post, I discuss GeoIP capabilities that can be built into your SOC to provide a spatial view of your network threats and how this view can help your network situational awareness.
Hi, this is Leigh Metcalf with my colleague Jonathan Spring. Here is a look at second level domain (SLD) usage in 2012 for the most common generic Top Level Domains (gTLDs): biz, com, info, mobi, net, and org. We used two data sources: (1)the master zone files (RFC 1035 sec. 5) and (2) the SIE (http://sie.isc.org), a passive DNS data source. From these sources we examined three features of global gTLD usage--the number registered, the number active, and the ratio.
Hi, this is Leigh Metcalf again with my colleague Rhiannon Weaver. IPv6, the replacement for IPv4, has been heavily marketed. To consider exactly how popular IPv6 is on the internet, one method is to examine the number of autonomous systems (ASes) that announce IPv6.
In my previous post, I examined the total amount of IPv4 space announced and presented cumulative graphics. While this view is useful in determining how much IPv4 space is announced, it doesn't say much about which IPv4 space is announced.
Hi, this is Leigh Metcalf of the Network Situational Awareness Team. Recently, I have been considering the amount of IPv4 space that is announced on the Internet. All blocks have been allocated, but how many are actually being used? To investigate this, I examined the routing tables to determine which networks were announced on the internet as usable from January 1, 2009 through December 31, 2012.
Hello, this is Leigh Metcalf of the CERT Network Situational Awareness (NetSA) Team. Timur Snoke and I have discovered some interesting results in our continuing examination of the public Domain Name System (DNS). Our work has been focusing on domains that change their name servers frequently.
Hi, this is Austin Whisnant of the CERT Network Situational Awareness Team (NetSA). After a long time in the making, NetSA has published an SEI technical report on how to inventory assets on a network using network flow data. Knowing what assets are on your network, especially those visible to outsiders, is an important step in gaining network situational awareness.
Hello this is Jonathan Spring. Recently, Leigh Metcalf and I uncovered some interesting results in our continuing work on properties of the Domain Name System (DNS). Our work involves an unconventional use of CNAME (canonical name) records. Besides an IP address, CNAME records are the only other location a domain may have in the DNS. Instead of an IP address, a CNAME record is a redirection or alias service that points to another name.
One of the foundational principles behind most organizations' network security practices is still "defense in depth," which is implemented using a variety of security controls and monitoring at different locations in an organization's networks and systems. As part of a defense-in-depth strategy, it has become commonplace for organizations to build enterprise security operations centers (SOCs) that rely in part on monitoring the extremely large volumes of network traffic at the perimeter of their networks. There has been a recent trend toward increased investment in (and reliance on) network monitoring "above the enterprise" in order to simplify sensor deployments, decrease cost, and more easily centralize operations. At the same time, the idea of a well-defined defensible perimeter is being challenged by cloud computing, the insider threat, the so-called advanced persistent threat problem, and the prevalence of socially-engineered application-level attacks over network-based attacks. For an opinion piece about how things have changed, read Rik Farrow's article in the USENIX magazine ;login:.
The report draws on related work such as OWASP but comes from a different point of view. While OWASP is focused on developing web applications securely, this report focuses more on situations where you don't have that control, but you need to protect servers and clients from web-based threats. The report may help you answer the following questions:
- What kinds of network monitoring do you need to do?
- How do you identify the attacks?
- How do you prevent them at the network level?
At more than 100 pages, the report is as comprehensive as we could make it and still get it out in a (relatively) timely manner.
Hi, folks. As you can see, we've changed the name of the Vulnerability Analysis Blog to the CERT/CC Blog. With this name change, we're expanding the focus of the blog to include content from other technical teams.
The current RSS and Atom feeds will continue to work, but you may want to update to the corresponding new feed location now (RSS, Atom) in order to avoid any problems in the future.
Past blog entries will continue to be available at the existing URLs.
Hello, folks. This post comes to you courtesy of Aaron Shelmire from the Network Situational Awareness team. Aaron writes:
Recently the Network Situational Awareness team at CERT has been researching the characteristics of malicious network touchpoints. The findings of this initial research are very telling as to the true state of security on the internet.
Hello, Sid Faber from the Network Situational Awareness group at CERT. Like just about everyone else, we've been following the Conficker worm for a while and thought some updated stats on the Conficker.C variant might be useful.