Botnet operators have recently become more sophisticated, leveraging SSL to ensure secure communication within their proxy networks. Ironically, this added layer of security can serve as a useful signal for detecting malicious Zbot domains. Thomas Mathew and Dhia Mahjoub explain how they used graph and clustering analytics on an SSL scan dataset to identify domains associated with the Zbot botnet: representing relationships between hosting ASNs and SSL certificates as a bipartite graph allow you to calculate entropy, which enables the discovery of anomalous certificates. These certificates serve as seeds for investigators to identify larger botnet infected IP ranges using passive DNS data. Thomas and Dhia explain how to pivot off SSL hashes and passive DNS data to discover the botnet infrastructure and explore the added value of including SSL data into your intelligence platform.
Thomas Mathew is a security researcher at Cisco Umbrella (OpenDNS), where he focuses on implementing pattern recognition algorithms to classify malware and botnets. His main focus is using time series techniques on network sensor data to identify malicious threats. Previously, Thomas was a researcher at UC Santa Cruz and the US Naval Postgraduate School and a product and test engineer at Looxcie, a hands-free streaming video camera company. Thomas has coauthored a number of patents and is a frequent speaker at events such as ISOI APT, BruCon, FloCon, Kaspersky SAS, Black Hat, and DEF CON.
Dhia Mahjoub is the head of security research at Cisco Umbrella (OpenDNS), where he leads the core research team focused on large-scale threat detection and threat intelligence and advises on R&D strategy. Dhia has a background in networks and security. He has coauthored patents with OpenDNS and regularly speaks at conferences worldwide, including Black Hat, DEF CON, Virus Bulletin, Botconf, ShmooCon, FloCon, Kaspersky SAS, Infosecurity Europe, RSA, Usenix Enigma, ACSC, NCSC International One Conference, and Les Assises de la sécurité. Dhia holds a PhD in graph algorithms applied to problems in wireless sensor networks.
©2017, O'Reilly Media, Inc. • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • firstname.lastname@example.org