Speakers: Fruhwirth, Proschinger, Lendl, Savola<\/p>\n
“On the use of name server log data as input for security measurements”<\/p>\n
\u00a0<\/p>\n
CERT.at ERT<\/strong><\/p>\n \u00a0<\/p>\n Why name server data?<\/strong><\/p>\n \u00a0<\/p>\n DNS 101<\/strong><\/p>\n \u00a0<\/p>\n DNS Reporting View<\/strong><\/p>\n DNS view is a matrix for stakeholders and security chain\/measurements<\/p>\n Vuln\u00a0CERT | Large Co | SME | User<\/p>\n Exp third dimension – field of view – DNS hierarchy changes view picture<\/p>\n \u00a0<\/p>\n 4 example use cases CERT.at worked on:<\/p>\n Aurora<\/strong><\/p>\n \/me: their matrix analysis makes it easy to see where DNS logs provided insigne to signs of vuln, severity of threat per stakeholder, whether it was something an org could have identified on their own (data source)<\/p>\n \u00a0<\/p>\n Conficker<\/strong><\/p>\n Pseudorandom domains B-250 regs\/day, C-450 .at domains\/day<\/p>\n Aconet CERT runs nameservers and a sinkhole<\/p>\n CERT.at uses the DNS data to generate warnings<\/p>\n \/me: the table view shows that you can both detect with DNS and deploy countermeasures with DNS (and what org can do what)<\/p>\n \u00a0<\/p>\n Kaminsky DNS Bug<\/strong><\/p>\n CERT.at used logs to score resolvers<\/p>\n score = port changes\/queries & ports\/min \u00a0(higher score == better)<\/p>\n they were able to see how quickly servers were patched (very interesting view)<\/p>\n \/me: the chart is a bit hard to read but it shows the difficulty of not having a larger view of DNS to help detect subtle issues like this one<\/p>\n \u00a0<\/p>\n Stuxnet<\/strong><\/p>\n CnC attempts visible in DNS logs<\/p>\n \/me: the chart shows that if you knew the domains, you could have detected in your own network<\/p>\n \u00a0<\/p>\n There are blind points: lack of visibility in top-down view; DNS can’t really show severity<\/p>\n info exchange on signs of exploited vulns; focus on info exchange of incidents<\/p>\n [side-talk: how do we incent folks to share data… “ask nicely!”…]<\/p>\n [side-talk: what % did not know who CERT.at was? 80% of crit infra knew; highly dependent on sector; CERT.at deliberately hired across sectors to help promote \/me: good q]<\/p>\n [side-talk: good discussion on CERT practices; how they detect and then how they engage constituents]<\/p>\n","protected":false},"excerpt":{"rendered":" Speakers: Fruhwirth, Proschinger, Lendl, Savola “On the use of name server log data as input for security measurements” \u00a0 CERT.at ERT coordinate sec efforts & inc resp for IT sec prblms on a national level in Austria constituted of IT company security teams and local CERTs \u00a0 Why name server data? CERT.at is mandated to […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":3,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"","footnotes":""},"categories":[3,47,4],"tags":[219,217,743,222,220,218,221],"class_list":["post-129","post","type-post","status-publish","format-standard","hentry","category-information-security","category-metrics","category-risk","tag-aurora","tag-conficker","tag-dns","tag-domain-name-system","tag-internet-protocols","tag-large-co","tag-partition-coefficient"],"yoast_head":"\n\n
\n
\n
Threat
Risk
Countermasure
Incident<\/p>\n\n