Last week, OpenDNS Research Labs attended FloCon 2016 where we presented two talks showcasing our latest work in threat research and development. 20160112_102629 First, Jeremiah O’Connor and Thibault Reuille presented “The Security Wolf of Wall Street: Fighting Crime with High-Frequency Classification and Natural Language Processing” The talk was received very nicely, and Thibault and Jeremiah enjoyed getting some great technical questions from the audience, which gave us some more fuel to go back and improve our system.

Then Dhia Mahjoub and Thomas Mathew presented “New DNS Traffic Analysis Techniques to Identify Global Internet Threats”. They covered their new model SPRank [1][2], which uses time series analysis and statistical features to efficiently identify malicious behavior in DNS traffic, particularly Exploit kits, phishing and DGAs. They also discussed how starting with SPRank detection, they expand the intelligence knowledge base by tracking bulletproof hosting infrastructures used by adversaries to host Exploit kits, and other malicious content [3]. They then introduced graph analytical methods to identify new clusters of DGAs in a graph of co-occurring domains as well as other DNS-based threats.


We also enjoyed several good talks varying in topic from network flow analysis to high performance computing including threat intelligence and graph analytics.

Insights from Dhia Mahjoub

There were several good and thought-provoking talks at FloCon. One of my favorites was “Distributed Sensor Data Contextualization at Scale for Threat Intelligence Analysis” by Jason Trost, VP of Threat Research at ThreatStream. Jason provided an overview of various network and host based data collection elements he calls “sensors” that are essential to building actionable threat intelligence for research and forensics purposes. The sensor definition covers honeypots, IDS, protocol decoders, device fingerprinting, sinkholes, sandboxes, endpoints, etc. Jason also pointed out that it is equally as important to use “enrichment” data sets (internal or external) and join them with sensor collected events to provide more context and insight to analysts and threat researchers. Enrichment data sets include WHOIS, passive DNS, active probing data repositories (e.g. Shodan, Caida), malware meta data repositories, threat intelligence knowledge bases, various analytics and data from internal IT and IR environments like asset data, devices, etc. It was nice to catch up with Jason after the talks and share our experiences and anecdotes about threat research and engineering.

The social events at the hotel and the Daytona Motor Speedway offered another great venue to catch up with old friends, meet new friends, and discuss various topics around research and development, academia, and the challenges facing our industry.


Although, the weather in Daytona Beach was not your typical sunny and warm, I still enjoyed a nice view of the board walk from the hotel room.


Insights from Thibault Reuille

It was my first time speaking at a conference on the East Coast. I was pleased to discover a pretty different side of the security scene. Among all the interesting presentations, a very special one caught my attention and interest: Network Security Analytics, HPC Platforms, Hadoop, and Graphs…Oh, My.

Aaron Bossert, solution architect at Cray, explored a graph visualization and processing engine fully working on a Cray supercomputer. As some of you already know, graph theory is a subject which is pretty close to my heart, and it was a pleasure to discover the computing power of one of the top supercomputers in the world. With its highly parallel architecture and huge shared global memory capabilities, it can really take graph processing to the next level and open so many new doors for real-time data processing.

One of the key challenges of security analytics is to be able to process very large datasets (logs for example) in near real-time but also to build connections between internet actors at very high speed. If that problem can be solved, our next generation detection platforms could apply online topology-based detection systems. Pure gold.

After the presentation, I had the pleasure to talk a little bit with Aaron to get a full demo of the interface and share some war stories and learn a bit more about the Cray architecture and performances. Pretty inspiring!

I should also probably note the other thing that brightened my day: I won the TeleSoft raffle and had the pleasure of going home with a brand new Dji Phantom 3 drone! Lucky me ;). Thanks again TeleSoft for the belated Christmas present!


Insights from Thomas Mathew

Mark Mager from the US-CERT code analysis team gave a great talk titled Command and Control Mechanism Trends in Exploit Kits, RATs, APTs, and Other Malware. Mark provided an overview of the mechanisms APTs and Exploit kits use to first infect machines and then communicate remotely. Not surprisingly, infected office documents are a common infection vector. Exploit kits and APTs still rely on infected macros and VBScripts to call out to remote servers. Many RATs Mark examined used exeproxy as a means to send encrypted data over TCP port 443. To hinder reversing malware authors employ obfuscation and conditional statements that always present the same value. Many of the exploit kits do not use office documents, but Silverlight and Flash plugins. The big take away from the talk was that many RAT and APT authors are using traditional means of infecting their targets. Using very advanced techniques is not a common practice. However, RAT and APT threats have become a lot more modular in form.

Insights from Jeremiah O’Connor

It was a long journey across the country to Florida, but it was great to finally arrive at the Hilton Oceanside, Daytona Beach for FloCon 2016.


The first night was a very nice meet and greet reception put on for the speakers. The next day, the conference started and there was a great turnout with a healthy mix of industry professionals and academics:


After our team presentations we got to see a few presentations. Fellow Ciscans Blake Anderson, Alison Kendler, and David McGrew gave very interesting talks on Understanding Network Traffic Through Intraflow Data  and Classifying Encrypted Traffic with TLS-Aware Telemetry.


Overall it was a successful weekend, and we heard some very nice feedback about the OpenDNS presentations and the type of work we are doing at OpenDNS Labs. We celebrated by going out for a nice team dinner at the famous Hyde Park Steakhouse. Mission accomplished!


This post is categorized in: