APT ATTRIBUTION AND DNS PROFILING

APT ATTRIBUTION AND DNS PROFILING

Advanced Persistent Threat (APT) attacks are highly organized and are launched for prolonged periods. APT attacks exhibit discernible attributes or patterns. In order to maintain the command and control (c2) network redundant, APT attacks are generally embedded with multiple DNS names. An intuitive view is that APT attackers keep and control a high number of DNS-IP address pairs. Most of existing malware attribution works placed great emphasis on grouping the technological or behavioral contexts from the malware binaries. We studied a small sample of malware from a specific victim group who had been subjected to APT attacks. Our study indicates that the attackers follow some behavioral patterns of registering DNS domains and the frequently use of stable DNS-IP pairs. The gatherings of such evidence regarding malware binaries are not complicated. But it requires tedious online queries of open source information. We developed an automated solution to simplify the tasks of collecting and storing the information as a database for future analysis. Once the initial set of malicious DNS-IP pair, "parked domain" and "whois information" are identified; the database can be called to perform updates manually. This database can be used for further analysis by a visualization tool, and for identification of the possible identity or personas of the attackers. In our studies, we used Maltego for the analysis.

Presented by