The Internet moves fast. New websites are created everyday, new articles are shared through blogs or social media, fresh data is served through APIs, emerging threats are repeatedly setup behind bulletproof and ephemeral infrastructures. Monitoring these online activities is part of the daily job of any security researcher and using the appropriate tools is key to keep the amount of investigation work manageable.

At OpenDNS labs, we have been building and using our own custom tools to perform these operations. Today, we are excited to share with you our homemade web crawler / data aggregator called OG-Miner. OG stands for OpenDNS Graph or Open Graphiti (or even Original Gangsta :p ). It is one of our main internal projects and acts as a central part of many analysis and backend processes.

Find it on github at 

(Documentation available there).

About

A little bit of backstory, when we first started working on the OG-Miner several key design features needed to be considered. First of all we were sitting at the top of a huge knowledge base – our “OpenDNS Security Graph” – built from our authoritative and recursive DNS logs. Each piece of data can be accessed through our powerful Investigate API and allows security researchers to retrieve network metrics and features coming from our statistical models. At some point it became clear to us that we had to step back and start studying the topology of the connections built by our algorithms and therefore work with local graphs inside this immense Security Graph. We had to start mining our API data to understand its intrinsic structure.

We quickly realized that one of the most practical and simplest ways to crawl our graph data was to implement a customizable Breadth First Traversal. Even if you’re not familiar with graph theory the intuition is pretty straightforward: you start from a given vertex, you explore the neighbors of this node, the neighbors of the neighbors and so on… In essence you iterate on the graph by levels (i.e. depth).

Combined with the adequate graph visualization tool (see OpenGraphiti at www.opengraphiti.com), the result was a multitude of beautiful new graph datasets we were eager to decrypt and analyze (Example below). Data visualization is certainly helpful for research but turned out to be a most interesting weapon for our engineering, sales, and marketing department. For the first time, explaining the true nature of our security data and statistical models was a transparent process.

Ex: Infrastructure graph extracted from opendns.com (orange node) with a depth of 3

 

Security graph view of OpenDNS.com

For us this was a new perspective on our intelligence platform. But our data being mostly DNS-centric, the picture was not really complete without enriching our datasets with external APIs or libraries. There are plenty of other great data analytics out there and it would be a shame not to use them. This is the exact moment when we realized we had to go for a modular design to expand the mining capabilities or our tool. Indeed, you can integrate your own plugins to aggregate data, mine APIs or even apply any other sort of computation to your process (Ex: Local libraries, ML/Statistical models, Application monitoring etc.). The current default installation includes plugins for the OpenDNS Investigate API, VirusTotal, Shodan, MaxMind GeoIP, Selenium, HTTP, SSL, DNS and Whois and can very simply be extended.

After experimenting and playing with various ideas, we came up with a couple of new fresh innovative detection models and our engine had to be scalable and automatable to fit in a large scale real-time data processing pipeline. We opted for several modern technologies such as ZeroMQ & MongoDB and implemented some graph processing cooperation logic. This way, we were able to build a cluster of graph miners (crawlers / aggregators / processors / explorers…) working in harmony on the same central persistent graph without running into any collision or synchronization issues.

 

These detection models have been running very well for a while now constantly finding and blocking freshly discovered domains. Our engine has reached maturity and we believe the security scene will greatly benefit from this new security tool. We are happy to announce the official opensource release of this fancy new project for the Kaspersky Security Analyst Summit 2017 taking place in the beautiful island of Sint Maartens in the Caribbean.

This post is categorized in: