big data in cyber security
TRANSCRIPT
![Page 1: Big Data in Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022070511/589fd37b1a28abf06d8b5741/html5/thumbnails/1.jpg)
Big Data in Cyber Security 2016Simon Arnell Chief Technologist – Security Services
![Page 2: Big Data in Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022070511/589fd37b1a28abf06d8b5741/html5/thumbnails/2.jpg)
DNS Malware AnalyticsDetecting compromised systems based on network usage
![Page 3: Big Data in Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022070511/589fd37b1a28abf06d8b5741/html5/thumbnails/3.jpg)
The security operations challenge
Hotline/help deskcall center
Other
IDS
TriageIncidentreport Resolution
Analyze Obtain contactinformation
Provide technical
assistance
CoordinateInformation
andresponse
Information request
Vulnerabilityreport
Weeks -> ? Days MonthsCMU CERT/CC Incident Lifecycle
![Page 4: Big Data in Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022070511/589fd37b1a28abf06d8b5741/html5/thumbnails/4.jpg)
Security operations research
Hotline/help deskcall center
Other
IDS
TriageIncidentreport Resolution
Analyze Obtain contactinformation
Provide technical
assistance
CoordinateInformation
andresponse
Information request
Vulnerabilityreport
Early detection(Big Data)
Rapid response (software-defined
networking)
![Page 5: Big Data in Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022070511/589fd37b1a28abf06d8b5741/html5/thumbnails/5.jpg)
What is DNS?
Client / server
Local DNSserver
DNS root “.”
DNS.com
DNS company.com
Query: service.company.com?
Query: service.company.com?
Check for zoneCheck cache
REPLY: ask “.com”
Query: service.company.com?REPLY: ask “company.com”Query: service.company.com?
Reply: 58.25.88.90
REPLY: 58.25.88.90
DNS traffic generated by:- Users (e.g. by browsing
web sites)- Applications, servers, etc.
![Page 6: Big Data in Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022070511/589fd37b1a28abf06d8b5741/html5/thumbnails/6.jpg)
Abuse caseBotnet command and control
Bot DNS server
akaajkajkajd.cn?xisyudnwuxu.ru?dfknwerpbnp.biz?mneyqslgyb.info?cspcicicipisjjew.hu?
C2 Server(mneyqslgyb.inf
o)
Attacker can’t maintain C2 server at IP address for very
long.So it registers a random
domain name temporarily.
Bot tries a bunch of random names until it finds
one that resolves.
![Page 7: Big Data in Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022070511/589fd37b1a28abf06d8b5741/html5/thumbnails/7.jpg)
AssetAsset
Abuse caseDNS tunneling (via subdomains)
Bot DNS server (Compromised) DNS server
(example.com)
93cc3daf.example.com4fac3215.example.coma86f4221.example.comddee9152.example.com8bd5ff12.example.comd4bb92a1.example.comef409132.example.com1bfa3207.example.com298c5b3a.example.com
![Page 8: Big Data in Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022070511/589fd37b1a28abf06d8b5741/html5/thumbnails/8.jpg)
Solution architecture: Overview
DNS server(s)
HPL DNS packet
capture
Whitelist
networktap
DNS queriesand responses
ArcSightLogger
ArcSightESM
Blacklist
Threat insight HPL Security Analytics and Visualization Solution
Event logging Correlation and alerting
Real-time processing
Near-time, historical analysis
DNS events:queries and replies
![Page 9: Big Data in Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022070511/589fd37b1a28abf06d8b5741/html5/thumbnails/9.jpg)
Screenshots of Big Data for Security – pre DMA
9
![Page 10: Big Data in Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022070511/589fd37b1a28abf06d8b5741/html5/thumbnails/10.jpg)
Productisation
Screenshot from HPE DNS Malware Analytics
– Cloud-based managed or self-service analytics with on-premises capture modules
– Yearly subscription– Bolt-on upgrades
– Events per second– Number of capture
modules
![Page 11: Big Data in Cyber Security](https://reader036.vdocuments.us/reader036/viewer/2022070511/589fd37b1a28abf06d8b5741/html5/thumbnails/11.jpg)
Service architecture
DNS Capture ModuleDNS analytics
Alerts (infected system)
Web-based detail and visualDrill-down
Level 1Analyst
HuntTeam
– Filter out 99% of traffic*– Tag events (blacklist
matching, DGA detection)– Statistics and diagnostics
– Constantly analyze DNS data for security threats
– Alerting– Data visualization and
exploration
– SaaS/Cloud
DNS Capture Module
Enterprise
SOCDNS server/cluster
Analytics cloud
SIEMUI