Training: 8–9 November 2016
Tutorials & Conference: 9–11 November 2016
Amsterdam, NL

Mapping adversary infrastructure using DNS

Merike Kaeo (Farsight Security)
14:10–14:50 Thursday, 10 November, 2016
Security in context (security datasci)
Location: G104/105 Level: Intermediate
Average rating: ****.
(4.40, 5 ratings)

Prerequisite knowledge

  • A basic understanding of DNS fundamentals as well as a general knowledge of IP addressing
  • A basic understanding of IPv6 (useful but not required)

What you'll learn

  • Learn how online criminal campaigns can be mapped because of shared IP addresses and shared name servers
  • Understand how more accurately mapping criminal campaigns through the use of DNS-based information can aid law enforcement agencies and civil investigators in avoiding incomplete or dysfunctional attempts at takedowns and thwart criminal attempts at achieving infrastructure operational resilience


Nothing good or bad can happen on the Internet without involving the Domain Name System (DNS). DNS offers a commanding view of both the local and global Internet and can provide unparalleled intelligence on cybercriminals and their attack methods. During investigations, incident response professionals are increasingly using DNS to build out indicators of compromise (IOC)s and other threat indicators to map the attackers’ entries and lateral movements throughout their networks.

Merike Käo shares the latest insights on the value of DNS to today’s cyber investigations as well as real-world examples of how incident responders, SOC analysts, and more are using real-time global DNS observations to significantly improve response time and accuracy to today’s cyberattacks.

Topics include:

  • How to correlate IP addresses and domain names to map malware campaigns
  • What intelligence newly observed domain names can provide
  • Where DNS changes can alert SOC analysts to potential criminal behavior
  • What added intelligence is provided by combining Passive DNS and WHOIS information
  • Specific examples address a variety of malware scams, including targeted phishing campaigns and counterfeiting legitimate businesses
Photo of Merike Kaeo

Merike Kaeo

Farsight Security

Merike Käo is the CTO of Farsight Security, where she is responsible for developing the company’s technical strategy and executing its vision. Merike is a recognized global expert in information security. Previously, Merike was CISO for Internet Identity (IID), where she created the strategic direction for improving and evolving the corporate security posture, and founder of Doubleshot Security, where she worked with numerous companies creating strategic operational security and resilient networking architectures. She led security and IPv6-focused strategies at numerous companies, including Boeing, Comcast, and T-Mobile, and worked for Cisco Systems, Inc., where she instigated and led the company’s first security initiative and focused on technical issues relating to network and application performance, routing protocols, and large-scale network design.

Merike is the author of Designing Network Security (Cisco). She is a member of the IEEE and has been an active contributor in the IETF since 1992. She cochaired the IP Performance Metrics (IPPM) working group from 2000 to 2003 and has actively contributed to numerous IETF working groups with a specific focus on operational sanity. She was named an IPv6 Forum Fellow in 2007 for her continued efforts to raise awareness of IPv6 related security paradigms. Merike holds a BSEE from Rutgers University and an MSEE from the George Washington University.