1 00:00:00,734 --> 00:00:02,669 (light, airy music) 2 00:00:02,669 --> 00:00:05,505 (light, airy music) 3 00:00:05,505 --> 00:00:08,475 (echoing note) 4 00:00:08,475 --> 00:00:09,908 (swish) 5 00:00:09,909 --> 00:00:11,811 (applause) 6 00:00:11,811 --> 00:00:14,080 (applause) 7 00:00:14,080 --> 00:00:15,281 - Thank you for having me. 8 00:00:15,281 --> 00:00:17,183 I'm sorry my co-worker couldn't make it. 9 00:00:17,183 --> 00:00:19,219 So, I'm going to try to go through it. 10 00:00:19,219 --> 00:00:22,789 We had it all separated so we'll see how it goes. 11 00:00:23,656 --> 00:00:27,192 Just a quick About Us. 12 00:00:27,193 --> 00:00:30,530 Andrea, she's the one who can't be here, obviously, 13 00:00:30,530 --> 00:00:31,998 she's been working at Cisco for about 14 00:00:31,998 --> 00:00:35,101 two or three years, and a lot of her research is 15 00:00:35,101 --> 00:00:37,637 in this presentation, of course. 16 00:00:37,637 --> 00:00:41,007 And there's me, as mentioned, I worked with NASA 17 00:00:41,007 --> 00:00:43,175 about five years; I took a year off, and went to Mandiant, 18 00:00:43,176 --> 00:00:47,180 went back; and was their threat researcher. 19 00:00:47,180 --> 00:00:48,448 One of two threat researchers for 20 00:00:48,448 --> 00:00:50,050 the whole agency, which is crazy. 21 00:00:51,484 --> 00:00:54,687 I've done consulting for nonprofits in San Francisco, 22 00:00:54,687 --> 00:00:56,855 where I'm currently based, and I worked 23 00:00:56,856 --> 00:00:59,225 for Cisco Umbrella, so previously OpenDNS, 24 00:00:59,225 --> 00:01:02,962 and get to play with a lot of DNS data every day. 25 00:01:04,431 --> 00:01:07,567 I'll give a quick summary of what I'll be talking about. 26 00:01:07,567 --> 00:01:10,103 We're gonna talk about the kind of research that we do, 27 00:01:10,103 --> 00:01:14,741 and how we find maliciousness, why we build visualizations, 28 00:01:14,741 --> 00:01:17,911 and I'll show some visualizations and some findings. 29 00:01:19,612 --> 00:01:21,414 So, we research a lot of criminal 30 00:01:21,414 --> 00:01:23,750 activity, like ransomware, spam, 31 00:01:24,884 --> 00:01:28,555 Remote Access Trojans, infected websites. 32 00:01:30,056 --> 00:01:31,825 When you get spam, you might get something like 33 00:01:31,825 --> 00:01:34,994 this email, where you have Collete87 really wants 34 00:01:34,994 --> 00:01:37,330 you to click on this Russian website, 35 00:01:37,330 --> 00:01:40,500 so you can meet her, and if you do, you get ransomware. 36 00:01:41,935 --> 00:01:45,772 We look at website compromises where iframes are injected 37 00:01:45,772 --> 00:01:48,975 into a website, and it sends you off to other locations 38 00:01:48,975 --> 00:01:52,277 to install malware, do all sorts of things. 39 00:01:52,278 --> 00:01:56,149 Look at Remote Access Trojans, so malware on a system 40 00:01:56,149 --> 00:01:58,718 that allows an attacker to connect in 41 00:01:58,718 --> 00:02:02,288 and control the system, exfiltrate data, 42 00:02:02,288 --> 00:02:04,057 drop new malware, things like that. 43 00:02:05,225 --> 00:02:06,658 There's a lot of data to visualize. 44 00:02:06,659 --> 00:02:10,797 So, we can put, look right at an IP or a domain 45 00:02:10,797 --> 00:02:13,633 or a registrant, it builds up quickly. 46 00:02:14,801 --> 00:02:16,236 It depends on the kind of attack, 47 00:02:16,236 --> 00:02:18,872 when you're looking at what you want to visualize. 48 00:02:18,872 --> 00:02:21,508 So, compromised domains, it depends on the scope of it. 49 00:02:21,508 --> 00:02:25,278 Maybe it's just a command shell, it's doing something 50 00:02:25,278 --> 00:02:28,614 bigger, or maybe it's just a simple compromised domain. 51 00:02:28,615 --> 00:02:30,250 Maybe it's just phishing, so it's domain 52 00:02:30,250 --> 00:02:33,386 that's set up specifically for malicious activity, 53 00:02:33,386 --> 00:02:35,188 or it's a compromised website with phishing 54 00:02:35,188 --> 00:02:37,423 deep in the directory structure. 55 00:02:38,958 --> 00:02:43,963 Or DGAs, so you may have one complex domain name, 56 00:02:45,698 --> 00:02:47,233 and that doesn't give you much information, 57 00:02:47,233 --> 00:02:50,403 but the more you have, the better information you have. 58 00:02:51,971 --> 00:02:53,239 It depends on the infection method. 59 00:02:53,239 --> 00:02:56,209 So, you know, if it's the spam infecting users 60 00:02:56,209 --> 00:02:58,077 that's one thing we're looking at. 61 00:02:58,077 --> 00:03:00,146 If it's just a simple compromise of a website. 62 00:03:00,146 --> 00:03:02,114 Maybe you've got one indicator of compromise 63 00:03:02,115 --> 00:03:03,983 that doesn't give you a lot to go on. 64 00:03:05,385 --> 00:03:08,588 And exploit kits, maybe what you're looking at sites 65 00:03:08,588 --> 00:03:10,590 that are compromised via exploit kits. 66 00:03:10,590 --> 00:03:14,727 So, this is a service where you can pay to compromise 67 00:03:14,727 --> 00:03:16,863 sites, and try to compromise users, depending 68 00:03:16,863 --> 00:03:19,766 on their vulnerabilities in their browser and their system. 69 00:03:20,934 --> 00:03:22,202 It also depends on the size and scale. 70 00:03:22,202 --> 00:03:24,637 So if, like I said, if it's just a defacement 71 00:03:24,637 --> 00:03:25,838 of a website, you don't have a lot, 72 00:03:25,838 --> 00:03:28,107 or if it's one DGA domain, one 73 00:03:28,107 --> 00:03:30,877 dynamically generated algorithm domain, 74 00:03:30,877 --> 00:03:33,713 it's not a lot to go with, but you can build off that. 75 00:03:35,114 --> 00:03:38,685 There's a lot of features you can get from even one IOC, 76 00:03:38,685 --> 00:03:43,189 one domain, in this case magicpharmacyinc.su 77 00:03:43,189 --> 00:03:44,724 See, there's this big spike in traffic? 78 00:03:44,724 --> 00:03:47,660 Compared to another domain, when you have domain queries 79 00:03:47,660 --> 00:03:50,129 like this, where you see a regular traffic 80 00:03:50,129 --> 00:03:51,998 pattern that doesn't look suspicious. 81 00:03:53,366 --> 00:03:55,501 So, finding maliciousness, you have to find 82 00:03:55,501 --> 00:03:59,205 all this stuff, and then do stuff to it. 83 00:03:59,205 --> 00:04:00,807 But, it's kinda difficult to find. 84 00:04:02,041 --> 00:04:04,210 But, if you have a lot of DGAs, you can analyze 85 00:04:04,210 --> 00:04:06,479 a whole bunch of them; a lot of them won't be going 86 00:04:06,479 --> 00:04:08,715 anywhere, they won't be registered, they're NX domains, 87 00:04:08,715 --> 00:04:11,084 but you might be able to find one that is pointed 88 00:04:11,084 --> 00:04:13,820 to the command and control server, 89 00:04:13,820 --> 00:04:15,521 and then get additional information on that; 90 00:04:15,521 --> 00:04:19,091 and the more DGAs you have, the more likely 91 00:04:19,091 --> 00:04:22,128 you can find out what it's attributed to, as well. 92 00:04:22,128 --> 00:04:26,132 Here's an example of an infection where you 93 00:04:26,132 --> 00:04:27,800 might have a command and control contact, 94 00:04:27,800 --> 00:04:29,335 and what you can get from that. 95 00:04:29,335 --> 00:04:32,405 So, at Layer 1 at the top, it's a system's infected, 96 00:04:32,405 --> 00:04:35,775 and then it contacts the C&C server; 97 00:04:35,775 --> 00:04:38,443 and if you have visibility into this, 98 00:04:38,444 --> 00:04:42,015 you get the C&C server, and you have the victim, 99 00:04:42,015 --> 00:04:45,551 and occasionally on obfuscation, there will be 100 00:04:45,551 --> 00:04:47,453 multiple proxy nodes that it will contact, 101 00:04:47,453 --> 00:04:48,854 so you can get those nodes as well, 102 00:04:48,855 --> 00:04:51,424 and then you can build a dataset on that, 103 00:04:51,424 --> 00:04:53,459 and you can keep on going, as you'll see. 104 00:04:54,894 --> 00:04:57,397 So, you need a large amount of these changing DGA domains. 105 00:04:57,397 --> 00:04:59,164 You can get nonexistent domains; 106 00:04:59,165 --> 00:05:01,868 they're not all registered, as I mentioned. 107 00:05:01,868 --> 00:05:03,369 One of these domains, maybe a few of them, 108 00:05:03,369 --> 00:05:05,938 will be pointed to an IP address. 109 00:05:07,173 --> 00:05:09,142 So, a lot of this is using passive DNS, 110 00:05:09,142 --> 00:05:10,510 a lot of the stuff I do. 111 00:05:11,678 --> 00:05:13,179 So, I'm looking, like I said, at domain names, 112 00:05:13,179 --> 00:05:16,782 I'm looking at IP addresses, name servers, which is, 113 00:05:16,783 --> 00:05:19,252 we can get historical name server and WHOIS information, 114 00:05:19,252 --> 00:05:23,423 which is important; which EDPR, so you can see changes 115 00:05:23,423 --> 00:05:28,428 in that, and if you tie in other things, as I'll show, 116 00:05:29,696 --> 00:05:32,732 like VirusTotal or ThreatGrid, you can get add-in 117 00:05:32,732 --> 00:05:34,500 malicious binaries, and the relationships 118 00:05:34,500 --> 00:05:37,136 between IPs and domains and stuff. 119 00:05:38,538 --> 00:05:40,807 So, using one example, is just tracking Hailstorm spam. 120 00:05:40,807 --> 00:05:44,377 Hailstorm spam is just a lot of spam sent out, 121 00:05:44,377 --> 00:05:47,547 a spam campaign done really fast before spam, anti-spam 122 00:05:47,547 --> 00:05:49,549 mechanisms can catch up to it. 123 00:05:49,549 --> 00:05:50,816 Just looking at this one IP address, 124 00:05:50,817 --> 00:05:53,753 what can you get from this, this one thing? 125 00:05:55,188 --> 00:05:57,557 Using passive DNS, you can see that there are 126 00:05:57,557 --> 00:06:00,593 a lot of domains hosted at this IP: 857. 127 00:06:01,794 --> 00:06:03,596 There's also Level Two domains, there's 422, 128 00:06:03,596 --> 00:06:06,599 that's subdomain, .domain.com, and you can keep on going 129 00:06:06,599 --> 00:06:10,635 down the chain of subdomains; and then you can get 130 00:06:10,636 --> 00:06:13,172 basically a list of that, and do something with it. 131 00:06:14,273 --> 00:06:17,143 Just looking at a select example of that, 132 00:06:17,143 --> 00:06:19,412 you can see that there's a lot of domains 133 00:06:20,780 --> 00:06:24,751 that look like medical, luckypillmall, firstdrugmall, 134 00:06:24,751 --> 00:06:27,419 so they're usually, they're probably pharma-spam, 135 00:06:27,420 --> 00:06:28,821 which is attributed to one kind 136 00:06:28,821 --> 00:06:33,826 of ransomware that we've seen a bunch. 137 00:06:35,228 --> 00:06:36,462 Pivoting off that, you can take that IP address, 138 00:06:36,462 --> 00:06:39,164 which is on the lower right, and you could see 139 00:06:39,165 --> 00:06:41,868 that there's another domain that 140 00:06:41,868 --> 00:06:43,202 has been pointed to other IPs. 141 00:06:43,202 --> 00:06:44,871 So, you can go, look at those IPs, 142 00:06:44,871 --> 00:06:46,638 and see where they've been pointing to. 143 00:06:46,639 --> 00:06:48,708 Basically, you're adding to your dataset, 144 00:06:48,708 --> 00:06:51,043 and it's getting probably pretty overwhelming. 145 00:06:52,311 --> 00:06:54,313 You keep on going, you find more domains, 146 00:06:54,313 --> 00:06:55,681 more domains, more. 147 00:06:57,950 --> 00:07:02,188 Just to go on what you can get with one specific domain, 148 00:07:02,188 --> 00:07:06,392 the kind of things you can, before I get into the big stuff. 149 00:07:06,392 --> 00:07:08,094 You can see query volume, if you have this 150 00:07:08,094 --> 00:07:11,063 kind of visibility; so you could do this in 151 00:07:11,063 --> 00:07:12,998 your environment, looking at your DNS queries, 152 00:07:12,999 --> 00:07:16,402 or if you have access logs; you could also 153 00:07:16,402 --> 00:07:19,171 do it if you have something bigger, like where I work. 154 00:07:19,172 --> 00:07:21,574 If you could see the spike in traffic, all of sudden 155 00:07:21,574 --> 00:07:24,977 when there was very little, almost zero to one queries 156 00:07:24,977 --> 00:07:27,346 per day, and then it drops down. 157 00:07:27,346 --> 00:07:29,549 You can get other things, like the WHOIS data 158 00:07:29,549 --> 00:07:32,452 I was talking about, IP addresses. 159 00:07:32,452 --> 00:07:34,987 The TTLs, so you can see if it's changing IP addresses 160 00:07:34,987 --> 00:07:36,989 often, or if it's set for a while. 161 00:07:38,291 --> 00:07:42,528 You can pick up the popularity based on requester 162 00:07:42,528 --> 00:07:46,098 geolocation; so how many people are visiting 163 00:07:46,098 --> 00:07:48,000 from this country versus that country. 164 00:07:49,335 --> 00:07:52,205 And what's really interesting, which is something 165 00:07:52,205 --> 00:07:54,039 you could also do inside your own environment, 166 00:07:54,040 --> 00:07:56,776 without third-party tools, but is more powerful 167 00:07:56,776 --> 00:07:58,978 with third-party tools, is co-occurring domains. 168 00:07:58,978 --> 00:08:01,814 So, these are domains that, when our DNS query was made, 169 00:08:01,814 --> 00:08:03,950 right, at the time time, or just before, 170 00:08:03,950 --> 00:08:07,086 or after the domain was queried. 171 00:08:07,086 --> 00:08:08,788 So, then you can use that to branch out. 172 00:08:08,788 --> 00:08:11,991 Of course, this adds to your overall data that you're 173 00:08:11,991 --> 00:08:14,594 looking at, still so, there's still a problem here. 174 00:08:14,594 --> 00:08:16,796 Collecting all that stuff, you still have to, 175 00:08:16,796 --> 00:08:20,032 I mean, when you have one domain, you still 176 00:08:20,032 --> 00:08:21,534 have to get this data somewhere. 177 00:08:21,534 --> 00:08:24,871 So, we use a lot of Open Source Intelligence. 178 00:08:26,072 --> 00:08:28,241 Things like MALWARE-TRAFFIC-ANALYSIS.net 179 00:08:28,241 --> 00:08:32,477 A blog by a security researcher who publishes 180 00:08:33,880 --> 00:08:37,183 PCAPs, live malware, and a quick blog post 181 00:08:37,183 --> 00:08:38,851 on what he's seeing; and you can 182 00:08:38,851 --> 00:08:40,886 download this and play with it. 183 00:08:40,886 --> 00:08:43,588 It has things like, there's a PCAP right there, 184 00:08:43,589 --> 00:08:46,759 and I'll get into this shortly. 185 00:08:48,494 --> 00:08:50,429 We actually, well, actually I guess 186 00:08:50,429 --> 00:08:51,731 I'm getting into this now. 187 00:08:53,533 --> 00:08:55,434 You can download those PCAPs, you can run them, 188 00:08:55,434 --> 00:08:57,169 and you can look at the domains; but it's a lot easier 189 00:08:57,169 --> 00:08:58,804 if you program this in Python. 190 00:08:58,804 --> 00:09:00,372 You can process, batch process, 191 00:09:00,373 --> 00:09:02,308 through tons of them at one time. 192 00:09:02,308 --> 00:09:05,244 So, you end up with a list of domains, 193 00:09:05,244 --> 00:09:07,079 which is problematic in itself, 194 00:09:07,079 --> 00:09:10,415 because it's a list of domains and lot of third parties 195 00:09:10,416 --> 00:09:11,684 will send you lists of domains, 196 00:09:11,684 --> 00:09:13,185 and there's legitimate things in there, 197 00:09:13,185 --> 00:09:14,686 and there's non-legitimate things, 198 00:09:14,687 --> 00:09:17,223 so you still have to weed out things and clean your data. 199 00:09:18,658 --> 00:09:21,961 There are other sources, like My Online Security is one. 200 00:09:21,961 --> 00:09:23,563 I mean, there's a million sources out there, 201 00:09:23,563 --> 00:09:27,867 but you can scrape these, or you can go download things. 202 00:09:27,867 --> 00:09:29,901 If you're, as a security researcher you get access 203 00:09:29,902 --> 00:09:34,340 to places like this, DGA Archive, 204 00:09:34,340 --> 00:09:37,910 which are closed-off to the public, 205 00:09:37,910 --> 00:09:41,247 so that attackers can't see what you're working on. 206 00:09:42,582 --> 00:09:44,016 And of course, there's VirusTotal, which is a really 207 00:09:44,016 --> 00:09:47,553 great repository for malware and other viruses. 208 00:09:50,723 --> 00:09:54,226 If you are doing it for free, you can use an API, 209 00:09:54,226 --> 00:09:57,330 you can call it four times a minute, I believe. 210 00:09:57,330 --> 00:09:58,564 But if you're paying, you can do a lot more. 211 00:09:58,564 --> 00:10:00,031 So, you can set up your RI rolls, 212 00:10:00,032 --> 00:10:02,602 and hunt for specific kind of activity, 213 00:10:02,602 --> 00:10:03,836 and then download all that stuff 214 00:10:03,836 --> 00:10:05,905 programatically, which is what we do. 215 00:10:05,905 --> 00:10:08,007 We download hundreds of samples a day, 216 00:10:08,007 --> 00:10:09,541 and maybe run them in a Cuckoo Sandbox, 217 00:10:09,542 --> 00:10:13,179 or run them through various systems to get 218 00:10:13,179 --> 00:10:14,880 additional information to look at. 219 00:10:17,617 --> 00:10:19,185 We also look at feeds. 220 00:10:19,185 --> 00:10:21,319 So, there are some feeds that are 221 00:10:21,320 --> 00:10:23,556 providing constantly changing viruses. 222 00:10:24,824 --> 00:10:26,425 They're usually a little bit more up-to-date 223 00:10:26,425 --> 00:10:28,995 than the historical data that we're finding 224 00:10:28,995 --> 00:10:31,631 on VirusTotal and Malware Traffic Analysis. 225 00:10:31,631 --> 00:10:34,533 One example of a really great feed is John Bambenek. 226 00:10:34,533 --> 00:10:36,235 He runs a security company; I'm sure 227 00:10:36,235 --> 00:10:38,204 some of you have heard of him. 228 00:10:38,204 --> 00:10:41,906 He just runs all these malware samples, every day. 229 00:10:41,907 --> 00:10:43,876 I think he actually might be stopping the feed pretty soon. 230 00:10:43,876 --> 00:10:46,411 I heard, but I'm not sure about that. 231 00:10:46,412 --> 00:10:50,049 But, he publishes them as the malware families 232 00:10:50,049 --> 00:10:51,483 that they belong to; so, you can 233 00:10:51,484 --> 00:10:53,419 quickly ingest that and work with it. 234 00:10:54,920 --> 00:10:56,288 So, why visuals? 235 00:10:57,990 --> 00:10:59,525 I feel dumb asking this question. 236 00:10:59,525 --> 00:11:01,861 I mean, I know why visuals, I feel like 237 00:11:01,861 --> 00:11:04,396 it's extremely important to be able 238 00:11:04,397 --> 00:11:05,831 to see what you're looking at. 239 00:11:05,831 --> 00:11:09,201 But, as you can see, just to go over it again, 240 00:11:09,201 --> 00:11:11,303 it's a lot of data that you're looking at. 241 00:11:11,303 --> 00:11:13,105 A ton of data, and it's really hard 242 00:11:13,105 --> 00:11:14,440 to keep it in your mind, what you're 243 00:11:14,440 --> 00:11:16,275 looking at; and you wanna work fast. 244 00:11:16,275 --> 00:11:19,178 Threat hunting is, it moves really fast. 245 00:11:19,178 --> 00:11:21,881 You can't just sit and wait for something to change. 246 00:11:21,881 --> 00:11:23,249 'Cause, as you can see, a domain 247 00:11:23,249 --> 00:11:25,818 spikes up in a campaign, and it's gone. 248 00:11:25,818 --> 00:11:28,521 So, you need to turn that messy data 249 00:11:28,521 --> 00:11:30,122 into meaningful information that you can 250 00:11:30,122 --> 00:11:32,091 work with really fast, and move on to the next thing, 251 00:11:32,091 --> 00:11:33,826 and also go home and have a life. 252 00:11:34,960 --> 00:11:37,930 It also helps us quickly analyze threat data. 253 00:11:40,032 --> 00:11:42,935 This is a quote from Edward Tufte. 254 00:11:42,935 --> 00:11:45,137 It's basically kind of long-winded. 255 00:11:45,137 --> 00:11:49,141 He's a data visualization expert; 256 00:11:49,141 --> 00:11:51,010 a professor at Yale, I think. 257 00:11:52,445 --> 00:11:54,780 But, he's basically saying assessing the change, 258 00:11:54,780 --> 00:11:58,350 and the dynamics, and the cause of something, 259 00:11:58,350 --> 00:11:59,852 helps you really understand it. 260 00:12:01,287 --> 00:12:03,289 So, some visuals we like to use as we, like I said, 261 00:12:03,289 --> 00:12:06,025 we program in Python, we've had some coworkers 262 00:12:06,025 --> 00:12:07,959 that work with R, but we convert them. 263 00:12:07,960 --> 00:12:11,597 I mean, R is fine, but we use Python. 264 00:12:11,597 --> 00:12:15,067 We throw it in PANDAs for data analysis. 265 00:12:15,067 --> 00:12:18,804 Sometimes, use other tools, and then 266 00:12:18,804 --> 00:12:21,040 we have been playing a lot with D3, 267 00:12:21,040 --> 00:12:22,708 which is a JavaScript library, 268 00:12:22,708 --> 00:12:24,310 and it's a pain for me to work with. 269 00:12:24,310 --> 00:12:27,146 I'm always struggling with it, but the things 270 00:12:27,146 --> 00:12:30,181 I've gotten working have been satisfying, at least. 271 00:12:31,550 --> 00:12:35,387 So, we will do some specific kinds of graphs, like 272 00:12:35,387 --> 00:12:38,189 force-directed graph; this is really great for networks. 273 00:12:39,258 --> 00:12:40,960 We'll do timelines of first seen 274 00:12:40,960 --> 00:12:42,461 queries versus domain queries. 275 00:12:42,461 --> 00:12:45,431 So, this is the first time a system in your network 276 00:12:45,431 --> 00:12:49,368 contacts a domain versus the time it was registered, 277 00:12:49,368 --> 00:12:54,206 also versus other things, other components of the domain. 278 00:12:54,206 --> 00:12:56,475 Timelines of domain queries, this is just the volume 279 00:12:56,475 --> 00:13:00,045 that you've seen before in some of the previous slides. 280 00:13:00,045 --> 00:13:01,313 Timelines of queries just from 281 00:13:01,313 --> 00:13:04,583 network captures, and log files too. 282 00:13:04,583 --> 00:13:08,521 And then, signature patterns built from queries 283 00:13:08,521 --> 00:13:10,421 in network capture files; so I'm gonna get into that, 284 00:13:10,422 --> 00:13:11,857 that's a little bit different, it's something 285 00:13:11,857 --> 00:13:14,492 I'm exploring, I've been exploring for about two weeks. 286 00:13:15,828 --> 00:13:17,463 An example of force-directed graphs, how you can 287 00:13:17,463 --> 00:13:20,098 take a list of domains and IPs, 288 00:13:20,099 --> 00:13:22,134 and get something maybe useful? 289 00:13:22,134 --> 00:13:23,836 I mean, this is a mess to look at, 290 00:13:23,836 --> 00:13:26,405 but it gives you an idea of maybe where to go next. 291 00:13:26,405 --> 00:13:27,640 You have this IP address, and it's got 292 00:13:27,640 --> 00:13:28,874 a whole bunch of domains on it. 293 00:13:28,874 --> 00:13:31,510 So, if this is something bad you saw happening, 294 00:13:31,510 --> 00:13:33,913 maybe you know where to go next. 295 00:13:33,913 --> 00:13:36,882 You have all these one offs on the left side 296 00:13:36,882 --> 00:13:41,219 that maybe aren't as pressing, so... 297 00:13:42,855 --> 00:13:44,557 And while I'm talking about force-directed graphs, 298 00:13:44,557 --> 00:13:48,360 this isn't about this, this is a fantastic product 299 00:13:48,360 --> 00:13:50,095 that's actually a free thing called OpenGraphiti, 300 00:13:50,095 --> 00:13:54,133 made by one of my coworkers that used to work at NVIDIA. 301 00:13:54,133 --> 00:13:56,468 So, he's made this beautiful thing. 302 00:13:56,468 --> 00:13:59,238 This is an example of what Zeus, Game Over Zeus, 303 00:13:59,238 --> 00:14:01,240 looks like in one environment. 304 00:14:01,240 --> 00:14:03,375 So, obviously you can really visualize 305 00:14:03,375 --> 00:14:07,646 things, and just look at it all day. 306 00:14:07,646 --> 00:14:10,915 Here's a video of what Mirai looks like, 307 00:14:10,916 --> 00:14:12,484 like a section of Mirai botnet. 308 00:14:13,619 --> 00:14:15,221 So, you can do some really beautiful things. 309 00:14:15,221 --> 00:14:16,655 I'm sorry to show you that, 'cause we're 310 00:14:16,655 --> 00:14:19,358 gonna go back to really boring-looking visuals, but... 311 00:14:20,759 --> 00:14:22,661 We can do, as I mentioned, on the query timeline, 312 00:14:22,661 --> 00:14:25,964 so if you look at Google you can see there's a pattern 313 00:14:25,965 --> 00:14:29,101 here, there's a Monday through Friday pattern. 314 00:14:29,101 --> 00:14:33,105 It's kinda normalized for North America, in this graph, 315 00:14:33,105 --> 00:14:35,007 but it goes high up in the day, and down 316 00:14:35,007 --> 00:14:36,809 in the evening, and the weekend is lower. 317 00:14:36,809 --> 00:14:40,579 So, you can see there's nothing, basically nothing 318 00:14:40,579 --> 00:14:42,414 malicious here, I mean, you know it's Google.com 319 00:14:42,414 --> 00:14:44,449 But, you can see this kinda pattern, or other patterns 320 00:14:44,450 --> 00:14:48,220 that you recognize as not bad, then you can move on. 321 00:14:49,755 --> 00:14:52,157 And in doing pattern matching, so I'm gonna 322 00:14:52,157 --> 00:14:53,525 talk about this towards the end, 323 00:14:53,525 --> 00:14:58,464 but I'm looking at PCAPs with specific 324 00:14:58,464 --> 00:15:01,000 kinds of activity and counting the times in-between, 325 00:15:01,000 --> 00:15:03,168 trying to find if this pattern is involved. 326 00:15:05,404 --> 00:15:08,474 A different way of building signatures. 327 00:15:08,474 --> 00:15:10,876 So, what makes a visual useful? 328 00:15:10,876 --> 00:15:13,012 We have some questions that we ask ourselves. 329 00:15:13,012 --> 00:15:14,313 What will make it clear? 330 00:15:14,313 --> 00:15:16,382 This is pretty obvious, it has a count, if it's 331 00:15:16,382 --> 00:15:21,286 a timeline, you know, how many, and when did it happen. 332 00:15:21,287 --> 00:15:23,889 So, in this case we've got this graph here. 333 00:15:23,889 --> 00:15:26,759 The line, the blue line, is the query volume. 334 00:15:26,759 --> 00:15:31,230 So, we can see that this domain, humoronoff.top 335 00:15:31,230 --> 00:15:35,034 had a big spike kind of, a relatively big spike, 336 00:15:35,034 --> 00:15:36,635 and then it went down, it's still being used, 337 00:15:36,635 --> 00:15:39,738 but so, if it was in a malware campaign, or something 338 00:15:39,738 --> 00:15:43,609 then it's probably something to look at. 339 00:15:44,810 --> 00:15:46,377 Am I putting it in the right context? 340 00:15:46,378 --> 00:15:48,414 So, force-directed graphs, those are great 341 00:15:48,414 --> 00:15:51,016 for networks, terrible for timelines. 342 00:15:51,016 --> 00:15:53,385 So, you gotta make sure you put it in the right place. 343 00:15:53,385 --> 00:15:55,154 I was gonna put some really ugly graphs here, 344 00:15:55,154 --> 00:15:56,689 but there wasn't a lot of time. 345 00:15:58,023 --> 00:16:00,225 Also, how can we reduce the visual clutter? 346 00:16:00,225 --> 00:16:01,694 So, maybe we can combine domain names. 347 00:16:01,694 --> 00:16:05,997 So, here we're looking at Google and the humoronoff.top 348 00:16:05,998 --> 00:16:11,003 domain, in comparison can be useful. 349 00:16:12,771 --> 00:16:14,839 And looking at, we can assess change by looking 350 00:16:14,840 --> 00:16:18,844 at spikes, and changes, and traffic volume. 351 00:16:19,979 --> 00:16:22,848 So, some visual examples of attack campaigns. 352 00:16:22,848 --> 00:16:26,050 Just to give you an idea of where we're going. 353 00:16:26,051 --> 00:16:31,056 I'm going to talk about three different malware variations. 354 00:16:31,924 --> 00:16:34,026 EMOTET, Hancitor, and TrickBot. 355 00:16:34,026 --> 00:16:36,295 EMOTET is a mal-spam malware. 356 00:16:41,266 --> 00:16:44,203 Spam is sent to victims and it usually includes 357 00:16:44,203 --> 00:16:47,206 an attachment, like a Word document, or something like that, 358 00:16:47,206 --> 00:16:50,442 or a link to a Word document; and if you run it, 359 00:16:50,442 --> 00:16:53,912 and have macros enabled, it'll do all sorts of stuff. 360 00:16:55,347 --> 00:16:57,716 So, grabbing just from Malware Traffic Analysis, 361 00:16:57,716 --> 00:17:00,319 just from a bunch of PCAPs, for a selected time period, 362 00:17:00,319 --> 00:17:02,755 we ended up with what you're commonly, 363 00:17:02,755 --> 00:17:05,557 probably see, in your daily job. 364 00:17:05,557 --> 00:17:09,328 Domain lists and IPs, and it's the job of some 365 00:17:09,328 --> 00:17:12,931 poor analyst, which I've been before, to look at these 366 00:17:12,931 --> 00:17:15,667 IPs and domains, and figure out which is bad. 367 00:17:15,666 --> 00:17:17,336 Someone higher up says, "Block this." 368 00:17:17,336 --> 00:17:19,271 And you're like, I don't know if I should block all this, 369 00:17:19,271 --> 00:17:21,139 but you should definitely look at it. 370 00:17:22,540 --> 00:17:24,409 But there are domains in here that shouldn't be blocked, 371 00:17:24,410 --> 00:17:27,880 obviously, like ipinfo.io; these are just IP checks 372 00:17:27,880 --> 00:17:29,615 from the malware, maybe, trying to find out 373 00:17:29,615 --> 00:17:32,418 if it should infect you, or find out where you are. 374 00:17:33,852 --> 00:17:36,422 So, you need to do something else with this. 375 00:17:36,422 --> 00:17:38,457 If you put all these IPs and these domains 376 00:17:38,457 --> 00:17:40,626 that you just saw into a force-directed graph, 377 00:17:40,626 --> 00:17:43,595 you get this cool-looking graph that looks kinda like candy. 378 00:17:43,595 --> 00:17:45,130 I don't know. 379 00:17:45,130 --> 00:17:49,601 You can see that there's not a lot that sparks interest, 380 00:17:49,601 --> 00:17:52,137 except for, there's one section where there's a few 381 00:17:52,137 --> 00:17:54,373 more connections, so maybe you could start there. 382 00:17:54,373 --> 00:17:57,509 You can check out what's there, and you could, 383 00:17:57,509 --> 00:17:59,011 in the stuff that we've written, 384 00:17:59,011 --> 00:18:03,749 that we use, we can highlight the nodes. 385 00:18:03,749 --> 00:18:06,251 The red is is the IP; the blue is the domains. 386 00:18:06,251 --> 00:18:08,020 And we can get some more information on that. 387 00:18:08,020 --> 00:18:09,254 We can click on that and go to 388 00:18:09,254 --> 00:18:11,255 further resources that we use. 389 00:18:12,624 --> 00:18:15,494 If we run those same domains through to create 390 00:18:15,494 --> 00:18:17,830 that kind of messy graph, and we enrich 391 00:18:17,830 --> 00:18:20,165 it with passive DNS data, so we include 392 00:18:20,165 --> 00:18:24,303 a whole bunch more stuff that wasn't in the initial file, 393 00:18:24,303 --> 00:18:27,473 and we turn the labels on, we can see that there 394 00:18:27,473 --> 00:18:29,207 are a couple IP addresses that 395 00:18:29,208 --> 00:18:32,644 are hosting domains associated with this, 396 00:18:34,079 --> 00:18:37,483 or have hosted domains; so, there are some more places 397 00:18:37,483 --> 00:18:39,318 that are more interesting to look at. 398 00:18:41,553 --> 00:18:46,558 This mykeeptake.xyz, we'll see that again in 399 00:18:47,659 --> 00:18:48,760 a few moments, but just keep that in mind. 400 00:18:49,895 --> 00:18:52,498 We can do some timelines on this kinda thing. 401 00:18:52,498 --> 00:18:57,503 So, if I take just the PCAPs from one EMOTET infection, 402 00:18:59,204 --> 00:19:00,906 just these two files right here, and I pull out 403 00:19:00,906 --> 00:19:04,209 their domains; I've got those akademia, I'm not gonna 404 00:19:04,209 --> 00:19:07,045 try to say the names, this one here. 405 00:19:07,045 --> 00:19:10,749 I pull them out with my Python script, and I've 406 00:19:10,749 --> 00:19:12,751 got these four domains here that are interesting. 407 00:19:12,751 --> 00:19:15,954 I didn't pull the DNS queries, just the GETs in the post. 408 00:19:17,556 --> 00:19:19,324 I can put these on a timeline, which is 409 00:19:19,324 --> 00:19:21,293 a different way to look at a timeline. 410 00:19:21,293 --> 00:19:23,861 I put the dates the emails were received 411 00:19:23,862 --> 00:19:27,332 by victims, according to this blog post. 412 00:19:27,332 --> 00:19:28,967 So, there's probably a lot more emails than this. 413 00:19:28,967 --> 00:19:32,137 But, put those on a timeline, I put the domains, 414 00:19:32,137 --> 00:19:33,839 and you can see that there's three domains 415 00:19:33,839 --> 00:19:36,207 on the far left, back in October, 416 00:19:37,376 --> 00:19:38,610 and then there's this one domain right there. 417 00:19:38,610 --> 00:19:40,579 So, this gives me a quick image of 418 00:19:41,914 --> 00:19:46,018 psychedelicsociety.org.au is probably really 419 00:19:46,018 --> 00:19:48,921 associated with this, and the other ones, I mean, 420 00:19:48,921 --> 00:19:51,056 it's probably compromised or it's been setup 421 00:19:51,056 --> 00:19:53,759 just for this campaign, right here. 422 00:19:53,759 --> 00:19:57,462 Those old ones are probably compromised, or, I mean, 423 00:19:57,462 --> 00:19:59,598 they're not as important, but they are important. 424 00:20:00,666 --> 00:20:02,900 Looking at that psychedelicsociety page, 425 00:20:02,901 --> 00:20:04,870 you can see there's a spike in traffic, 426 00:20:04,870 --> 00:20:06,604 all of a sudden, where as before, 427 00:20:06,605 --> 00:20:08,440 around it there's pretty much nothing. 428 00:20:08,440 --> 00:20:10,642 I can see the First Seen date is 429 00:20:10,642 --> 00:20:13,078 the date that was on my graph. 430 00:20:14,580 --> 00:20:16,014 Looking at those other domains, you can see 431 00:20:16,014 --> 00:20:19,650 that there's kind of consistent traffic, it's not as big. 432 00:20:20,986 --> 00:20:24,156 I can look using other tools, like VirusTotal, 433 00:20:24,156 --> 00:20:26,325 I can find that there's some interesting URLs, 434 00:20:26,325 --> 00:20:27,826 and I can scrape these or pull 435 00:20:27,826 --> 00:20:29,761 them programmatically, which I do. 436 00:20:31,697 --> 00:20:34,233 Looking at, just at the site, sometimes I do this a lot 437 00:20:34,233 --> 00:20:37,002 in threat analysis, I see what's up. 438 00:20:37,002 --> 00:20:40,138 It's a site, whatever, but it's 439 00:20:40,138 --> 00:20:42,341 WordPress, which I am suspicious of. 440 00:20:43,875 --> 00:20:46,278 I could tell by those previous domain names 441 00:20:46,278 --> 00:20:49,548 there's a word, WP Admin Directory, 442 00:20:49,548 --> 00:20:52,117 but I didn't take screenshot of it; 443 00:20:52,117 --> 00:20:53,452 but going into one of those directories, 444 00:20:53,452 --> 00:20:56,488 you can see there's some spam inside those sites. 445 00:20:56,488 --> 00:20:58,557 So, the site's compromised, and it's 446 00:20:58,557 --> 00:21:00,826 being used in this campaign; as you can see, 447 00:21:00,826 --> 00:21:03,128 'cause of the PCAP, I mean, that's proof. 448 00:21:03,128 --> 00:21:05,997 But looking at all the EMOTET domains, 449 00:21:05,998 --> 00:21:09,735 I pulled like all of them for a huge amount of time, 450 00:21:09,735 --> 00:21:11,436 I can't remember the exact time, 451 00:21:11,436 --> 00:21:13,871 but you can see that there's a pattern here. 452 00:21:13,872 --> 00:21:17,342 And it's a mess, but you don't have to read all the domains, 453 00:21:17,342 --> 00:21:20,746 but you can see October had a huge spike in domains 454 00:21:20,746 --> 00:21:25,183 being used, kinda dipped down and then up again. 455 00:21:25,183 --> 00:21:27,219 So, this isn't relative of the entire internet, 456 00:21:27,219 --> 00:21:30,956 this is some PCAP files, but it's place to start 457 00:21:30,956 --> 00:21:32,557 if you're hunting for something. 458 00:21:33,925 --> 00:21:35,494 So, there's some patterns we can look at, 459 00:21:35,494 --> 00:21:37,195 and I've been talking about this a little bit, 460 00:21:37,195 --> 00:21:39,665 this is stuff I'm doing that's brand new. 461 00:21:39,665 --> 00:21:42,434 I'm just trying to play around a little bit, 462 00:21:42,434 --> 00:21:44,069 which is a big part of my job, 463 00:21:44,069 --> 00:21:46,638 and that's my favorite part, to play around. 464 00:21:46,638 --> 00:21:49,640 So, I can get those PCAPs and I can see 465 00:21:49,641 --> 00:21:53,679 that there's GET requests, and there's posts, 466 00:21:53,679 --> 00:21:56,048 and there's all sorts of cool data to play with. 467 00:21:57,783 --> 00:21:59,851 This is, right here, that you're seeing... 468 00:22:01,720 --> 00:22:05,023 There's GET posting to different IPs, different domains. 469 00:22:05,023 --> 00:22:06,558 I thought about maybe, if I look 470 00:22:06,558 --> 00:22:07,959 at the time between events. 471 00:22:07,959 --> 00:22:10,295 So, Malware Traffic Analysis is real great, 472 00:22:10,295 --> 00:22:12,964 because he provides these PCAPs that it's just 473 00:22:12,964 --> 00:22:17,735 a specific moment in time where EMOTET, or Hancitor, 474 00:22:17,736 --> 00:22:19,805 or something is, or some other malware, 475 00:22:19,805 --> 00:22:23,608 is infecting a system; so, it's pretty consistent. 476 00:22:23,608 --> 00:22:25,744 So, I was thinking, if you can count the times in-between, 477 00:22:25,744 --> 00:22:28,112 maybe there's a way to look at patterns, 478 00:22:28,113 --> 00:22:31,550 and then research further on will be more interesting, 479 00:22:31,550 --> 00:22:33,452 'cause I hope to be able to run it on live traffic, 480 00:22:33,452 --> 00:22:35,554 and maybe catch something interesting. 481 00:22:35,554 --> 00:22:38,423 But, I'll keep working on that. 482 00:22:38,423 --> 00:22:40,759 But, looking at it, just, I put it on a graph with 483 00:22:40,759 --> 00:22:42,894 with MatPLotLib, just to see what it looks like. 484 00:22:42,894 --> 00:22:45,597 These dots are just the, they represent... 485 00:22:47,165 --> 00:22:49,101 Well, what I did, was I took the times 486 00:22:49,101 --> 00:22:50,969 and I took away the time information, 487 00:22:50,969 --> 00:22:55,941 and I made it a unique number, not to get too weird with it. 488 00:22:57,175 --> 00:22:59,244 But, just to try to do a constant thing. 489 00:22:59,244 --> 00:23:03,081 So, as I did that, I would plot it on this line. 490 00:23:03,081 --> 00:23:04,882 So, the numbers don't really mean anything; 491 00:23:04,883 --> 00:23:08,553 it's just a visual for me to kind of to start with. 492 00:23:09,721 --> 00:23:10,922 I'm looking to see if there are patterns. 493 00:23:10,922 --> 00:23:13,125 So, if I run a bunch of EMOTET PCAPs, 494 00:23:13,125 --> 00:23:15,794 you can see that there's, there's sort of a pattern. 495 00:23:15,794 --> 00:23:18,330 I mean, maybe, I haven't yet compared it 496 00:23:18,330 --> 00:23:20,564 to what's it like when you're viewing YouTube, 497 00:23:20,565 --> 00:23:24,503 or viewing news websites, but you'll see 498 00:23:24,503 --> 00:23:25,736 when I get to TrickBot, there's 499 00:23:25,737 --> 00:23:27,305 a little bit more of a unique pattern. 500 00:23:28,440 --> 00:23:29,674 And I'm at TrickBot. 501 00:23:29,674 --> 00:23:32,110 So, TrickBot is like a mal-banking Trojan. 502 00:23:33,812 --> 00:23:36,982 Sent usually phishing links, or phishing emails 503 00:23:36,982 --> 00:23:40,485 are sent to people to login to their fake bank. 504 00:23:41,353 --> 00:23:42,821 They think it's the real bank. 505 00:23:44,322 --> 00:23:45,991 And it's changed a little bit to have kind of a 506 00:23:45,991 --> 00:23:49,528 ransomware component too, but I won't go into that. 507 00:23:49,528 --> 00:23:50,762 So, let's look at some graphs with this. 508 00:23:50,762 --> 00:23:52,664 So, putting it in a force-directed graph, 509 00:23:52,664 --> 00:23:54,331 we can see there are a few interesting things. 510 00:23:54,332 --> 00:23:56,168 These are the same kind of, we took a list, 511 00:23:56,168 --> 00:23:58,770 just like we did for EMOTET; we can 512 00:23:58,770 --> 00:24:02,841 look at the nodes of this, we can expand upon that. 513 00:24:02,841 --> 00:24:05,209 This is really pretty, it doesn't tell you a lot 514 00:24:05,210 --> 00:24:09,548 of information, if you don't know the context, but you 515 00:24:09,548 --> 00:24:11,550 can see that there's something interesting to look at. 516 00:24:11,550 --> 00:24:16,421 So, we turn the labels on and we enrich it even more. 517 00:24:16,421 --> 00:24:18,690 Actually, that last graph we enriched already, 518 00:24:18,690 --> 00:24:21,593 but with additional passive DNS information, 519 00:24:21,593 --> 00:24:24,830 but you enrich it even further and add the labels. 520 00:24:24,830 --> 00:24:26,798 You can get a lot more useful information. 521 00:24:26,798 --> 00:24:30,802 You can see that there's something; there are a couple 522 00:24:30,802 --> 00:24:33,004 probably bad hosting providers that are hosting 523 00:24:33,004 --> 00:24:35,206 a lot of these domains, so you can take action on that. 524 00:24:35,207 --> 00:24:36,608 Whatever that action may be. 525 00:24:37,943 --> 00:24:40,312 Looking at timelines of this, just 526 00:24:40,312 --> 00:24:41,879 to give you what it looks like. 527 00:24:41,880 --> 00:24:46,485 Same thing, October, big, huge thing, comparatively. 528 00:24:47,552 --> 00:24:49,687 And then some smaller bits. 529 00:24:51,423 --> 00:24:53,625 And then patterns, of course, I wanna look at patterns. 530 00:24:53,625 --> 00:24:55,794 So, this is running through a bunch. 531 00:24:55,794 --> 00:24:56,962 This is actually a video, it's showing 532 00:24:56,962 --> 00:24:58,396 a bunch of different TrickBots. 533 00:24:58,396 --> 00:25:00,699 You got these two, two times that things happened. 534 00:25:00,699 --> 00:25:03,034 So, it's pretty unique. 535 00:25:03,034 --> 00:25:05,470 As I work on it, maybe I'll be able to catch TrickBot live. 536 00:25:05,470 --> 00:25:08,173 I mean, I'm not building the next Snort, or anything, 537 00:25:08,173 --> 00:25:10,041 but, you know, I'm just playing around. 538 00:25:11,376 --> 00:25:13,478 Hancitor, which is another kind of mal-spam. 539 00:25:15,280 --> 00:25:17,148 Look at this and see what we can find. 540 00:25:17,148 --> 00:25:19,016 We've got timelines, that kind of have 541 00:25:19,017 --> 00:25:21,219 the same pattern again, so I don't know what's going on. 542 00:25:21,219 --> 00:25:23,755 Maybe this is a general, a larger trend. 543 00:25:23,755 --> 00:25:26,558 Maybe if I look back at what I've been doing, 544 00:25:26,558 --> 00:25:29,694 for the last year, if I can even remember, 545 00:25:29,694 --> 00:25:31,863 'cause you're always on a million things, 546 00:25:31,863 --> 00:25:35,400 I would maybe be able to see that there's, like, 547 00:25:35,400 --> 00:25:37,969 maybe I would assume that October was a hard month. 548 00:25:39,771 --> 00:25:42,274 So, putting this in a force-directed graph. 549 00:25:42,274 --> 00:25:44,508 Same kinda thing, you get a lot more connections. 550 00:25:44,509 --> 00:25:47,145 This is a lot more interesting, right here. 551 00:25:49,748 --> 00:25:51,850 And if we enrich that with extra data, 552 00:25:53,218 --> 00:25:57,188 the past domains and whatnot, we get some more stuff. 553 00:25:57,188 --> 00:26:00,225 And as we were researching this, we found that there 554 00:26:00,225 --> 00:26:01,892 were a lot of relationships, as you can probably guess, 555 00:26:01,893 --> 00:26:03,328 based on those timelines I showed you. 556 00:26:03,328 --> 00:26:07,098 A lot of relationships between the different campaigns. 557 00:26:08,934 --> 00:26:10,902 But, we can see things like this IP is hosting 558 00:26:10,902 --> 00:26:15,907 a whole bunch of these iffy, or bad, or known bad domains. 559 00:26:17,242 --> 00:26:19,476 There's that mykeeptake.xyz, which was in EMOTET, 560 00:26:19,477 --> 00:26:21,980 which is also being used in this Hancitor campaign. 561 00:26:21,980 --> 00:26:24,950 So, now that's been raised up a little bit 562 00:26:24,950 --> 00:26:27,485 as something important that we need to focus on. 563 00:26:28,954 --> 00:26:31,289 Looking at patterns, just to kinda give you an idea, 564 00:26:31,289 --> 00:26:33,391 it's definitely, definitely different than EMOTET, 565 00:26:33,391 --> 00:26:37,362 definitely different than TrickBot, the PCAP pattern, 566 00:26:37,362 --> 00:26:39,164 but it's kind of interesting to see. 567 00:26:40,432 --> 00:26:41,967 And then the relationships between attack 568 00:26:41,967 --> 00:26:43,735 and infrastructure, I just mentioned this, 569 00:26:43,735 --> 00:26:46,103 but this is everything all tied together. 570 00:26:46,104 --> 00:26:51,109 All the static domains and IPs from TrickBot, EMOTET, 571 00:26:51,977 --> 00:26:53,111 and Hancitor that we looked at. 572 00:26:53,111 --> 00:26:54,579 You got these outliers on the side, 573 00:26:54,579 --> 00:26:56,147 and then those are interesting, for sure, 574 00:26:56,147 --> 00:26:59,985 but you've got this huge amount of just working together, 575 00:26:59,985 --> 00:27:01,519 the domains are working together, 576 00:27:01,519 --> 00:27:04,255 and IPs are working together, it's the same infrastructure. 577 00:27:04,255 --> 00:27:05,957 And as, when you're trying to find attribution 578 00:27:05,957 --> 00:27:09,027 for something, generally you find it based on 579 00:27:09,027 --> 00:27:11,196 the sharing of infrastructure and the reusing 580 00:27:11,196 --> 00:27:14,165 of domains and registration information. 581 00:27:14,165 --> 00:27:16,201 But, it's just nice to see that. 582 00:27:16,201 --> 00:27:20,038 If you enrich that further, you can find a place to attack. 583 00:27:20,038 --> 00:27:22,607 And this is historical data, but there are ways to 584 00:27:22,607 --> 00:27:24,876 be up to speed with the present moment. 585 00:27:26,511 --> 00:27:30,181 And then I put these on, or just relayed them, 586 00:27:31,583 --> 00:27:34,119 this is not a programmatic thing, but it will be, 587 00:27:34,119 --> 00:27:36,888 when I'm continuing to work on this, and so is Andrea. 588 00:27:36,888 --> 00:27:39,057 So, if you put the Hancitor over EMOTET, you can see 589 00:27:39,057 --> 00:27:42,661 there's a definite relationship between them. 590 00:27:42,661 --> 00:27:45,296 On TrickBot, it's not as much the same, 591 00:27:45,296 --> 00:27:50,001 but it's, I mean, EMOTET and Hancitor are mal-spam, 592 00:27:50,001 --> 00:27:52,003 and TrickBot behaves a little differently. 593 00:27:52,003 --> 00:27:54,304 So, you expect some different results with it. 594 00:27:55,774 --> 00:27:57,242 This probably should have been in back a little bit further, 595 00:27:57,242 --> 00:28:00,278 but you can, when I was talking about bringing data 596 00:28:00,278 --> 00:28:04,416 together, to give you better visuals, but you could, 597 00:28:05,617 --> 00:28:07,452 I didn't want to put all those domains on 598 00:28:07,452 --> 00:28:09,754 one big, huge timeline, but I bet I would see some 599 00:28:09,754 --> 00:28:12,590 query volume patterns, which would be very useful to see. 600 00:28:13,491 --> 00:28:14,492 Cool, thank you. 601 00:28:14,492 --> 00:28:16,594 (applause) 602 00:28:16,594 --> 00:28:18,630 (applause) 603 00:28:18,630 --> 00:28:20,799 (piano music) 604 00:28:20,799 --> 00:28:22,867 (piano music) 605 00:28:22,867 --> 00:28:25,036 (piano music) 606 00:28:25,036 --> 00:28:27,305 (piano music) 607 00:28:27,305 --> 00:28:28,773 (deep, booming piano chord) 608 00:28:28,773 --> 00:28:31,576 (piano music) 609 00:28:31,576 --> 00:28:34,245 (metallic echo)