FloCon 2018 has ended
Tucson, AZ – January 8-11, 2018


Watch this space for details on the technical program for FloCon 2018. In the meantime, see the FloCon website at www.cert.org/flocon.
Back To Schedule
Tuesday, January 9 • 3:00pm - 3:30pm
When Threat Hunting Fails: Identifying Malvertising Domains Using Lexical Clustering

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
From Java drive-bys to Adobe Flash exploits, low and mid-tier ad networks have traditionally been targeted and popularized as the distribution point for malicious campaigns. The ad network infrastructure enables a variety of distribution methods especially if an attacker understands how to game the ad-exchange. Further, malvertising groups have begun to evolve towards more ambitious campaigns serving ad impressions under the guise of fake software updates and tech support scams.

Defending against and harvesting the fake update and tech support scams is complicated, however, by the fingerprinting and anti-bot technologies of the poorly-vetted ad networks that act as a middle-man and are hidden behind. The actors launching these attacks are also vigilant, launching these attack with fresh registered domains and migrating between hosting infrastructures. The question then becomes, which if any of the traditional threat hunting method can be effective against this new breed of malvertising?

In this talk, we introduce a real-time streaming pipeline built in Kafka to stem the initial attack that is observable in DNS logs by using a scalable clustering technique known as locality sensitive hashing (LSH) over the hostnames to identify the permutations of words and characters from “software”, “update”, “tech”, “support”, and more. We then discuss a novel belief propagation algorithm through a client-hostname bipartite graph that propagates up the related file hosts that lay behind malicious advertisements. Finally, we will disclose the anatomy of a malicious advertising campaign and uncover how the file hosts are often reused in malvertising campaigns.

Attendees will learn:
Attendees will become acquainted with the current malvertising threat landscape: ad networks, exchanges, exploits, and popular infection points. The audience will gain a greater understanding of the need for unsupervised lexical clustering, due to the weaknesses of traditional methods of lexical and semantic analysis, and how these methods can be applied to threat hunting. Finally, we'll show how to leverage commodity hardware and open source technologies to uncover more threats and their related infrastructures.

This talk will demonstrate how to automate data analysis to identify evolving threats where traditional hand-crafted threat research methods may fail or prove inefficient.

avatar for Matthew Foley

Matthew Foley

Researcher, Cisco Umbrella
Matt Foley works as an intern researcher at Cisco Umbrella (OpenDNS). His primary research focus is exploit kit mitigation by studying current web exploits and writing custom honey clients. Matt works on building out automated systems at scale to identify new indicators of compromise... Read More →
avatar for Dhia Mahjoub

Dhia Mahjoub

Head of Security Research, Cisco Umbrella
Dr. Dhia Mahjoub is the Head of Security Research at Cisco Umbrella (OpenDNS). He leads the core research team focused on large scale threat detection and threat intelligence and advises on R&D strategy. Dhia has a background in networks and security, has co-authored patents with... Read More →
avatar for David Rodriguez

David Rodriguez

Senior Research Engineer, Cisco Systems, Inc
David Rodriguez works as a Senior Research Engineer at Cisco Umbrella (OpenDNS). He has co-authored multiple pending patents with Cisco in distributed machine learning applications centered around deep learning and behavioral analytics. He has an MA in Mathematics from San Francisco... Read More →

Tuesday January 9, 2018 3:00pm - 3:30pm MST
Presidio III, IV, V

Attendees (7)