• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Spotlight

SPRank and IP Space Monitoring at BruCON & Hack.lu

Author avatar of Dhia MahjoubDhia Mahjoub
Updated — July 24, 2020 • 5 minute read
View blog >

In October, the OpenDNS research team was in Europe presenting new threat detection models at two renowned security conferences. First, Security Researcher Thomas Mathew and I (Dhia Mahjoub) presented at BruCON on Oct. 9 about a “Unified DNS View to Track Threats.” Then a couple weeks later I presented on Oct. 22 at Hack.lu about “A Collective View of Current Trends in Criminal Hosting Infrastructures.”

SPRank at BruCON

In the talk “Unified DNS View to Track Threats,” we discussed a new model dubbed Spike Rank or “SPRank” that leverages DNS traffic below recursive resolvers. We call this data “recursive DNS data.” Unlike previous models which primarily placed emphasis on features like ASN, BGP prefixes, and WHOIS information, SPRank analyzes traffic signals as the primary interest. The decision to move away from focusing heavily on ASN, IP, and WHOIS information as identifiers of threats came after a new series of threats began to emerge over the past year. The increase in exploit kit campaigns and “domain-shadowing” usage rendered many of the classical domain reputation or IP reputation methods ineffective. Traditionally, a domain reputation model will assign different scores to a domain based on the reputation of its IP host. These reputation scores are based on the historical “goodness” of an IP range or domain. Exploit kits using compromised domains pose problems to these models. Compromised domains that have a great historical reputation will easily fool a reputation system. Furthermore, cheap hosting makes it difficult to assign meaningful scores for IP reputation as new ranges appear having no historical context to provide it a score. SPRank avoids these issues by analyzing the DNS request patterns to a domain.

SPRank detects domains showing as a sudden surge — or a spike — in DNS queries issued from our 65 million worldwide clients towards our resolvers. These domains feature what we call the “spike behavior.” This behavior is typical of domains used for malware campaigns such as exploit kits, DGAs, fake software, Browlock, and phishing. But it can also be associated with spam domains, domains victimized for DNS amplification attacks, and a slew of other suspicious and even benign uses.

A major breakthrough of this model is it separates the detected domains into benign, suspicious, and malicious classes. Within the malicious class, we focus mainly on exploit kit domains. Exploit kits are currently the most efficient and widespread infection delivery method of financially motivated malware.

The other main advantage of SPRank is that it pinpoints inherent features of malware domains that criminals cannot easily change. Because of OpenDNS’s unique perspective of the Internet and its domains, we can distinguish between acquired or assigned features and inherent features. The assigned features of a domain include the lexical makeup, DGA setup (seed, algorithm), or the hosting, and registration choices. These features are controlled by adversaries, as they can change or update the features when needed. On the other hand, inherent features are related to traffic patterns that emerge globally from clients querying malware domains and are harder to obfuscate or change by the adversary. We are talking here about features such as the distribution of clients across IP space and geography, the geography of resolvers being used, query types, query volumes, domain traffic patterns, etc.

The SPRank system consists of a few main subsystems:

  • Spike Detection
  • Domain History Filter
  • QType Filter
  • Domain Records Filter
  • Expansion of threat intelligence via IP, prefix, ASN, hoster, fingerprint, and email pivoting

To learn more about the motivation behind SPRank, its details, components, and results, we invite you to check out our video of the talk at BruCON. The results of the model are very promising. It detects the most current and virulent malware campaigns such as Angler, RIG, and Nuclear exploit kits, in addition to DGAs, fake software, or phishing. Current exploit kit campaigns drop malware payloads ranging from crypto-ransomware, banking Trojans, and info stealers to bots used for DDoS, spam, or click-fraud, as the diagram below shows.

IP Space Monitoring at Hack.lu

In the talk “A Collective View of Current Trends in Criminal Hosting Infrastructures” at Hack.lu, I discussed a two-year long effort of research I’ve been conducting about malware hosting IP infrastructures. In this research, I discuss a selection of hosting patterns identified from analyzing DNS, IP space, BGP prefixes, and ASN peering relationships. These patterns have been adopted by suspicious and bulletproof hosting providers to harbor malicious content and deliver malware campaigns on a large scale. In these patterns, we distinguish between botnet-based hosting infrastructures and dedicated hosting providers. In the first category, I discussed a “hosting as a service” infrastructure used to host fast flux malware CnCs. In the second category, I cover eight different recorded hosting patterns:

  • Compromised domains, i.e. “domain shadowing”
  • Domain shadowing on multiple hosting IPs
  • Sibling peripheral ASNs and bulk malware IP setup
  • Leaf ASNs
  • Offshore registration and diversification of IP space
  • Rogue ASN and affiliated hosters
  • Abuse of large hosting providers
  • Shady hosts within larger hosting providers

We have been tracking “domain shadowing” for a few years now [1][2][3], and Cisco discussed it this year [4]. Despite being a widely known pattern, it is still being used by adversaries for delivering exploit kits, browlock and other suspicious content. We have also been tracking various variants of rogue and bulletproof hosting providers. A very noticeable pattern here is rogue or bulletproof providers register businesses in offshore jurisdictions in the Caribbean islands, Central America, or the Indian Ocean, and they diversify their IP space in both ARIN (North America) and RIPE (Europe) for resiliency and evasion. Below, we show the example of QHoster, a Bulgarian hoster registered in Belize with IP space in ARIN and RIPE, which has been hosting exploit kits and phishing campaigns for some time.

qhoster2

The combination of these patterns helps us design a model to monitor IP space usage for malicious purposes, and identify in a predictive fashion IP ranges that will be used for malware campaigns even before any domain is hosted on the IPs. This model has been successful in mitigating exploit kit campaigns such as Angler, RIG, and Nuclear.

The major advantage of this model is that it analyzes IP space with a much finer granularity than conventional IP, BGP, ASN reputation scoring methods. We focus on IP ranges that are smaller than the BGP prefix and that are operated by rogue hosts or purchased by criminal customers. We also analyze IP fingerprints to single out servers that share the same configurations and that are purchased in bulk and set up in advance to deliver malware and exploit kit campaigns.

Furthermore, if we confirm that IP ranges, ASNs, or hosts match several of these patterns at the same time, we can flag them with a high confidence as rogue, bulletproof, or heavily abused. We can then quarantine or block their IP space. Additional validation also comes from monitoring hosted content over time.

Stay tuned for future separate blogs in which we will discuss these hosting patterns in more detail.

The final takeway is that “SPRank” and “IP Monitoring” can work separately but they are much more efficient if they operate, in tandem, to provide a higher coverage and accuracy in detecting threats. Since we are faced with a massive amount of DNS and IP space data flowing in real time through our worldwide infrastructure, SPRank becomes crucial at finding entry points or seeds of malware domains for immediate blocking but also for “IP Monitoring” to further drill into associated indicators by pivoting around IPs, fingerprints, prefixes, ASNs, hosters, emails, content, etc to expand the intelligence graph and proactively mitigate attacks before they occur. At the same time, “IP Monitoring” can function in a standalone fashion by sweeping and scrutinizing IP ranges picked up by other models or feeds.

Suggested Blogs

  • Hitachi’s SASE: How Umbrella & Duo Delivered Identity and Security December 13, 2022 2 minute read
  • Why Using DNS for Protection Should Be Your First Line of Defense September 1, 2022 2 minute read
  • New Security for a World Where Everyone and Everything Are Connecting August 30, 2022 3 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella