Build Better Defenses
October 29–30, 2017: Training
October 30–November 1, 2017: Tutorials & Conference
New York, NY

Malicious CDNs: Tracking botnets using open source SSL data

Thomas Mathew (Cisco Umbrella (OpenDNS)), DHIA MAHJOUB (Cisco Umbrella (OpenDNS))
4:45pm–5:25pm Tuesday, October 31, 2017
Security analytics
Location: Sutton North
Average rating: ****.
(4.00, 2 ratings)

Who is this presentation for?

  • Security researchers

Prerequisite knowledge

  • Familiarity with general internet architecture (ASN, BGP, etc.) and SSL

What you'll learn

  • Learn how graph and clustering analytics on an SSL scan dataset can help identify domains associated with the Zbot botnet


Botnet operators have recently become more sophisticated, leveraging SSL to ensure secure communication within their proxy networks. Ironically, this added layer of security can serve as a useful signal for detecting malicious Zbot domains. Thomas Mathew and Dhia Mahjoub explain how they used graph and clustering analytics on an SSL scan dataset to identify domains associated with the Zbot botnet: representing relationships between hosting ASNs and SSL certificates as a bipartite graph allow you to calculate entropy, which enables the discovery of anomalous certificates. These certificates serve as seeds for investigators to identify larger botnet infected IP ranges using passive DNS data. Thomas and Dhia explain how to pivot off SSL hashes and passive DNS data to discover the botnet infrastructure and explore the added value of including SSL data into your intelligence platform.

Topics include:

  • Using graph analytics to identify patterns in networked data
  • Understanding the relationship between large hosting providers and SSL content
  • Creating filters to help denoise large noisy datasets
  • How SSL information can provide valuable network intelligence for tracking the threat infrastructure
Photo of Thomas Mathew

Thomas Mathew

Cisco Umbrella (OpenDNS)

Thomas Mathew is a security researcher at Cisco Umbrella (OpenDNS), where he focuses on implementing pattern recognition algorithms to classify malware and botnets. His main focus is using time series techniques on network sensor data to identify malicious threats. Previously, Thomas was a researcher at UC Santa Cruz and the US Naval Postgraduate School and a product and test engineer at Looxcie, a hands-free streaming video camera company. Thomas has coauthored a number of patents and is a frequent speaker at events such as ISOI APT, BruCon, FloCon, Kaspersky SAS, Black Hat, and DEF CON.



Cisco Umbrella (OpenDNS)

Dhia Mahjoub is the head of security research at Cisco Umbrella (OpenDNS), where he leads the core research team focused on large-scale threat detection and threat intelligence and advises on R&D strategy. Dhia has a background in networks and security. He has coauthored patents with OpenDNS and regularly speaks at conferences worldwide, including Black Hat, DEF CON, Virus Bulletin, Botconf, ShmooCon, FloCon, Kaspersky SAS, Infosecurity Europe, RSA, Usenix Enigma, ACSC, NCSC International One Conference, and Les Assises de la sécurité. Dhia holds a PhD in graph algorithms applied to problems in wireless sensor networks.