I had the opportunity to present at BSides NOLA 2013 over Memorial Day weekend. The conference spanned three tracks and featured close to 20 talks covering current trends in security and Digital Forensics and Incident Response (DFIR).
I presented on the topic of “Discovering new malicious domains using DNS and big data, Case study: Fast Flux domains”, which also featured a demo of our Umbrella Security Graph tool. I discussed the algorithms and techniques we use at OpenDNS to discover large sets of new fast flux domains. Fast flux is a prevalent DNS-based technique used by attackers to evade blacklisting and take-down of their malicious domains. Despite having been around for several years, fast flux is still common, and is used by botnets such as Kelihos, or current spam, phishing, and malware delivery sites.
The techniques I showcased are based on machine learning and graph algorithms, and they leverage the power of big data technologies and large volumes of DNS traffic (both recursive and authoritative) that we have at OpenDNS.
All of the presentations were exceptional, but I wanted to share details on a few of my favorites.
Securenomics – Mike Murray, MAD Security
Mike from MAD Security began the day with his keynote, “Securenomics – The Evolving Vulnerability Landscape and its Implications,” which stressed how the wide spectrum of attack vectors (human/organization, network, server, and client applications) makes the job of security professionals much more stressful and demanding. Mike also spoke about security education – how organizations should focus on a learn-by-doing strategy rather than working towards certifications and credentials. He shared several online resources that help with that:
Code school http://www.codeschool.com/
Khan academy https://www.khanacademy.org/
Sick Anti-Analysis Mechanisms in the Wild – Alissa Torres, Mandiant
Alissa Torres from Mandiant, a SANS instructor, gave a detailed overview of the techniques and tools that malware uses to evade manual and automated analysis. These techniques fall in the categories of anti-disassembly, anti-debugging, obfuscation and anti-virtualization.
Plaso: reinventing the super timeline – Kristinn Guðjónsson, Google
Kristinn presented the timeline analysis tool Plaso which automates the correlation between multiple data sources into a single timeline. A Python-based back-end engine, Plaso is very useful for parsing various log files and forensic artifacts from computers and network equipment to produce a single correlated timeline.
Reverse Engineering – Jimmy Wylie, Fortego
Jimmy hosted a workshop style presentation that gave a thorough outline of reversing basics, tools, and technologies (CPU registers, assembly, debuggers, IDA Pro, static analysis, behavioral analysis, etc) and concluded with hands-on reverse engineering exercises.
After the conference, it was obviously time to have some fun, and New Orleans is certainly not short on that. The OpenDNS crew enjoyed local specialties such as turtle soup, exploring the French Quarter, and gator foodstuffs.
If you want a challenge, you should stop by the Pepper Palace. There, I had the misfortune to try the “hottest sauce in the universe 2nd dimension” (sic). Any sauce that requires legal documentation before you try it is not fooling around – as I learned the hard way.
Overall, BSides NOLA was a great experience, and an opportunity for me to meet many skilled and passionate security professionals. Thank you to the organizers and all the folks who made it happen.