Something's Phishy: See the Hook Before the Bait

It is my great pleasure to introduce uh Malachi Walker. Um take it away. Thank you Damian. Uh thank you all for coming to my talk uh something's fishy. See the hook before the bait. So uh just a show of hands here. How many people saw this title and are kind of expecting to talk about fishing lurs maybe email fishing um you know something related to that? All right. And then how many of you read the abstract and saw that we're gonna actually probably be talking a little bit more about DNS adversary infrastructure and how it relates to not just fishing but malware spam and other threats. So the title itself was the bait and the abstract was the hook.

Still I didn't see all the hands go up. So how many of you maybe didn't read the abstract but you still had heard my tone and you decided I'm not going to raise my hand for that. Um, that's another way of seeing the hook before the bait. And that's kind of what we want to get into today with this discussion is there are many different ways to see the hook before the bait. I'm going to be presenting one point of view that's kind of backed by research from our newly released domain tools investigation report and some different patterns of malicious infrastructure that we found. But ultimately, um, you know, this is supposed to be the rising tide that

lists all boats. We're here as the infosc community to come together, share ideas, and I know that there's a lot of perspectives that go beyond just this one point of view. I'm interested in hearing your perspectives, and I think this will hopefully lead to some great idea sharing all throughout this week as we got a lot of great leaders in infosc together in one place. Um, so why the game of thrones map of Westeros? Uh, I thought with the theming of here be dragons and also kind of the nautical theme of fishing, like one of the best ways to weave that in together was one of my favorite series, a song of ice and fire. But just know all of these images

are licensed by HBO, George R. Martin. I don't owe anything. I don't want to be caught in court and give him something to distract him from finishing a Winds of Winter. Um, you heard we're going to get that, right? Like, you know, he said he's going to, you know, actually work on finishing it. He understands it's something he has to do. So when's a winner? Grand Theft Auto 6, like things are looking up. The wait's almost over. As long as you're not waiting for like Halfife 3. Um, so if we think about Westeros though, the most powerful families are the ones that were laying siege and taking control of the different ports, right? So you got

Marine, you got King's Landing, and of course you got Casterly Rock on Lannisport. Um, I think it's interesting and kind of coincidental that fishes are um fishing campaigns are also a way and means that threat actors try to lay siege to take great control as well. And then you take it a step further. If someone's launching a fishing attack and they know about the third parties that their target is interacting with, uh, they can make a lot more focused attacks um, which also kind of have a similar theme. I don't know if we call it nautical or not. Does anyone have the name for that one? Um, the word I was looking for was watering hole. So, there's going to be

kind of a blend of like dragons, fish, water in this presentation, but we're going to talk about DNS, those patterns of malicious infrastructure that we found in the investigations report, and then actually how different ways to identify indicators of compromise. I'll walk through two examples of fishing related domains that um I found, and then we'll kind of recap and see how this relates to the greater conversation of seeing the hook before the bait. So, uh, let's jump into it. Uh, a little icebreaker. Are there a lot of Game of Thrones fans in the room right now? Um, okay. So, uh, raise your hand if your favorite house is Targaryen. All right. Not many fans of

that. Uh, what if you like, uh, Lannister? Anyone's a fan of House Lannister? Baratheon. Stark. There we go. Okay, good. Cuz like, all right, we obviously got the dragon theme. I put a lot of Targaryen stuff in there, but my favorite house is House Stark, so definitely you'll see some wolves in here as well. All right, so let's get into the data, right? Like, think about the theory about like all the different events and logs that you interact with. I understand there's nothing on the screen right now, but um if you're in threat hunting, instant response, there's probably a lot of times when you're telling yourself, you've run into an incident and you're telling yourself there's no way it's

DNS. It's not DNS. It's it just can't be DNS. But the truth is, it's usually always DNS. Everything is a DNS problem. It can be incredibly complicated, but it can be also valuable to threat hunters, incident responders, and security teams. It's um also the same goes for attackers, unfortunately. So, it's important to kind of think about that as a basis. Uh and it could be a great early sign of trouble to help fuel a lot of different investigations and responses to threats related to fishing. Um, so another theming, right? Uh, San Francisco. Uh, one of my favorite shows that took place in San Francisco that I watched growing up was, uh, that's a Raven. And so imagine you're in the

sock. And for some of you, you don't have to imagine. It's 5:30 on a Friday and something throws for you for an alert. You see a data hemorrhage and this data is being exfiltrated to an appropriately named employeeportal login domain.com. All right, we no problem. We'll stop the leak for now, but the instant responders in the audience know that this is where the real work begins because you have a lot of questions after the expiltration has taken place like how long have they been inside, right? Um am I reducing dwell time? Uh why didn't my threat intelligence feeds why didn't they pick this up in the first place? And if it's going to this domain, where else is it going? Uh and I

understand that you didn't come to this talk necessarily for questions. Uh but you came here for answers. And yes, the answer is DNS. Uh it's incredibly uh related to all of the different common attacks because if a you think about fishing, right? If a threat actor is going to uh spin up a fishing campaign, they're going to do it on the internet and then they're going to um create a email address to send the lure and they might even create another website that the lure is going to live in. And so think about that internet infrastructure that fuels the fishing uh campaign and then that can be a great way of getting more towards the root uh rather than uh

kind of the symptom. Uh so this stat from Verizon is actually fairly generous. InfoLocks has the number up at 93%. And if you're, you know, getting started out in infosac, uh this could be a great way to find some easy wins. Uh think about where most threats are coming from and take that approach of addressing it that way. uh and you'll see a lot more coverage and hopefully a lot more success earlier to get those quick wins. So, um you came here for fishing and you're not really uh wanting to talk too much about DNS. Uh so, uh let's just get a little bit of a DNS primer. Um for those that might just need a refresher, I was worried that

Shador wouldn't be drafted by the time I'd give this presentation, but luckily the Browns got him. Uh so if you think about DNS right if you have an internet of things connected to to device right like this computer or a phone this watch sometimes even like a smart toothbrush and it wants to visit a website you're going to have to ask a question or a query to a um recursive DNS server. There's going to be times where if you visit the website enough it'll be cached um and it can bypass a lot of these other servers. If you're visiting for the first time, it might have to resolve uh through the DNS server to a root name

server down to a TLDD top level domain server. We'll get into more of that data later. Uh and then uh if necessary, an authoritative name server just so you can access the website. This happens really quickly. Um but the internet infrastructure behind it can be incredibly interesting. Uh in fact, we consider it forensic gold, right? It's readily available and it's rich in context, right? There might be a way that thread actors can use DNS to lie, but it's very hard for them to use DNS to hide. Uh, it's going to be an early signal of internet activity. If you can find those domains related to the lure, for example, or the email that's sending out those lures before it goes into

Linda from accountants's inbox and they send $500 in gift cards to the CEO, uh, then it can lead to a lot more success in being proactive and protecting your organization's revenue and reputation. So when we think about domains itself as it relates to DNS um when you see in a log and alert the domain name can carry the intent behind the attacker with it right so um you could see one in the example where it's meant to fool humans uh like the exfiltration example where we went through uh employee portal login.com and had data excfiltrated there but you can also see ones that look like they're written high Valyrian and uh those ones are likely meant to

fool machines and can also be used for expo targets. Uh and so when you think about how the intent behind a domain like a typo squat for example like that Blue Cross or Kaiser Permanente where it's just slightly off and it doesn't necessarily look like it's really associated with the brand but on a quick glance it could fool someone. Um that's a great way to spot different domains that might be uh meant to fool humans and might not have the most reliable infrastructure. And that's all a way to see domains as that first green point which is a characterizer. It'll tell us a lot about what the domain is and what the intent is behind it. But domains can

also be a connector because um when reg domains are being registered, you're using email addresses, IP addresses. There's a lot of different um ingredients that go into getting a domain registered. And a lot of times actors can reuse that or um use that from one domain to make another one. And so instead of worrying about the one domain that you are seeing, you can use that as a connector to a bunch that you might not be seeing. And then finally, it's an identifier, right? So, uh, you know, not all the time will you see someone put their real information when they're registering a domain for a malicious attack, but you'd be surprised at how much you do see that happen. Uh

oftent times there's especially with like the introduction of LLMs, a lot of people think they can go ahead and be um you know spinning up fishing campaigns and they'll use their full government name, their whole phone phone number, their address and tie it all directly to a domain that they're using in a malicious tag. But even if they don't use their real information, they're likely reusing that fake information. And that can help you uh point a picture to the rest of their infrastructure. Uh, of course there are some of you who are really experienced in the infosc community and you might have thought of DNS as an important tool but ultimately feel like it might have some limitations

and it was created 40 years ago. So there are some limitations that are important to uh acknowledge like um times were a little simpler 40 years ago and it didn't necessarily assume deceptiveness. And so back to what I said a couple slides ago uh you can't necessarily hide with DNS, but you can lie. If I visit a website and like look at the DNS information on one day, it could be a lot different than if I did a week later. And so uh adversaries are able to after they weaponize their infrastructure to kind of change it around and uh try to keep uh you following breadcrumbs. So for those who are wondering how do I get around these

limitations and still use DNS to identify different uh indicators of activity um I'd like to introduce uh the concept of passive DNS. Right? So hopefully some ideas and use cases are starting to spin for those who are unfamiliar altogether. And active DNS can be a great way to just get started and dive into infrastructure and be a little bit more left of trouble. But uh to make this talk as applicable to everyone as possible, I also want to talk about passive DNS, which is that next step in aggressively identifying infrastructure and making connections between uh one data point to another. Um, I'll give it a pause just so you can see kind of the differences and nuance

between regular and active DNS. But if you're more of a visual person, don't worry. I have you in the next slide. Um, just try to stay on time. So, I will shift now. But if you think about that first image on regular DNS and how it went through the name server to um, reach the website, passive DNS is happening kind of above it and around it. Um, and therefore, uh, it's privacy by design. And so the person making the query, if they're doing it via passive DNS, is doing so unknown. And so you can make multiple queries onto a website that you might be investigating and the person you're investigating who's behind maybe a threat campaign that you're

trying to map out won't know and um be less likely to change that infrastructure. So passive DNS is all about making those connections though. So it that going back to that domain contains intent portion of uh the discussion. It's important to use your judgment when you're looking at these domains and the subdomains related to assess goodness or badness because passive DNS isn't necessarily about goodness and badness. It's about making those connections. Um one huge advantage that it has over using regular DNS alone is regular DNS was never designed 40 years ago to resolve from an IP address to a domain. But passive DNS can do that. Now, DNS can go from domain to IP address, but

passive DNS can do the reverse. In fact, there's a lot of different pivot points that you can uh utilize passive DNS for. Um, I have them up on the screen, so feel free to take a picture. If not, I think this will be on YouTube later. Um, and then for those unfamiliar, FQDN, it stands for fully qualified domain name, and that will specify the exact location of a computer or internet host. So, from a forensic perspective, this is gold right here. This can be a great way for you to take one data point that you are seeing and branch it off into different points that you're not. So, I'll just pause for a second, let everyone get a

picture in, and we'll talk about the Starks, right? So, uh it's about tracking the wolf to find the pack. DNS is not just useful for responding to incidents and protecting your organization, but for you threat hunters who are actively looking for more information before trouble has occurred. Um, you can always assume that one part of an alert might lead to something else that's unknown or unseen. Um, if you think about wolves, wolves, the term lone wolf is kind of deceiving because wolves rarely operate alone. they do operate in packs much like the direwolves that uh you know Arya ran into with Nimira. Um so you can always think about domains in that same sense where it's very rare that a threat actor

is going to get in with one piece of infrastructure, one domain and that's it. It's likely that it's going to be part of a larger ecosystem and then it's likely that that thread actor themsself is not operating alone. A lot of times these thread actors are using sharing reusing uh resources. you know, they can be lazy too and we can exploit that to analyze one part and expose the other. They think that you have to be right every single time and they only have to be right twice. But if you're in a threat hunting landscape, that shifts that on its face, play the UNO reverse card and now they're the ones that are running for cover. So the way and

approach that we took it in our 2025 domain tools investigation report is domain intelligence analysis. And this is a great way to proactively identify malicious infrastructure, but it also show how these techniques evolve. I'm going to give a little bit of a preview of what those patterns of malicious infrastructure look like. Um, but if you want to see more, I have a the full report available. Uh, I apologize to the marketing team. Like, we're not going to uh want to collect any emails from anyone who's interested right here. So, um, I'll have my email at the end of this. I'll send it to you ungated and then that can be the last interaction we have if you want. Right? Uh so one of

the things we were able to visualize is the convergence of high-risk attributes. Right? This 3D scatter plot it ver visualizes those top registars ISPs and name server domains all in their own access. And I'm so glad that we're presenting on this big screen because um you see this domain count that goes up to yellow and everything's purple, right? But if you look right by a aftermarket PL limited, you'll see the um concentration of the high count domains. And it it will be clear on the um uh report as well. But a concentration of domains on few service providers like this is suggesting that there are dominant provider groupings. But if we take a look at the scatter

plot from two different perspectives, this is the same data. It's just visualized in a different way. you see this convergence on name, server, domain and registar, not so much on ISPs, but ultimately you see a lot of purple, right? There's not um that many combinations that are consistently being chosen together when it comes to higher volumes observed. So, a significant spread is indicating that there's a diverse provider combination in terms of these high-risisk attributes. Uh and so maybe it's better to think about how these uh this infrastructure is being weaponized in the first place by threat actors. So uh when you think about the MITER attack framework um you can already see in your head probably a lot

of different ways that techniques not just fishing would involve DNS, right? There's a lot of examples like internal access, lateral movement. Um, of course you have uh internal spear fishing, which is what we talked about today with like seeing the hook before the bait. Um, but it goes all the way down the line into um the C2 example that we talked about with our uh exfiltration to employee portal login and domain as well. So all of these involvements make it clear that domains are sprinkled throughout the ways the adversaries use infrastructure and kind of addressing it at that one point can be a great way to look at all of these different tactics. So how do they develop this

infrastructure if they want to use it for these purposes, right? Um oftent times when you're detecting these threats, they're coming into your network or you've already been hit and so you're in that orange quadrant right there where they're using it. But adversaries themselves are looking to get in, get what they need, and get out, burn that infrastructure, and start over. It's happening in a cycle. And detection on this side when it's already being weaponized is late because you're trying to put out the fires. Um it's the weekend most likely. They're trying to take advantage of um you know, making sure that you're out for recovering your data information and harm is already occurring. And we don't want that

because there's less context that we can get detection when they're preparing. Think about um that fishing example when the domain is actually being spun up before the lure is out. Or if we think about the fishing example, if you could find the hook before it's even being cast in the water, that's going to be ideal, right? uh is you're going to see early warnings of these emerging campaigns and you're able to take a more proactive stance and you're going to be able to find more about who's targeting your organization. And if someone's after me, my organization, my employees, you can bet I want to know everything about who's targeting my infrastructure. So, here's another visual on how the

campaign would be developed over time. They're going to stand up that stream of domains and then uh they'll quickly um replace it once they see it on a block list. Um I'll get more into kind of like the limitation of the block list later but uh the theming is is just we want to try to detect that infrastructure as early as possible. Um so another thing that we dive into with the report is uh the top level domains. So observed is a chart of the top the top top level domains of 2024 uh for new and like their counts. So it's safe to assume that most nefarious traffic is still going to come in on the most common

tldds like dot com.org or.net. But what's unique about these new TLDDS is if you have a security product that's, you know, trying to um flag all of these different traffics coming through, they might be catching a lot of the com.org, thenet that they're supposed to, but uh it's relatively static. And so, um, as these new domain registration opportunities come in, uh, there's just going to be a lot of more opportunity for traffic to go undetected when it follows one of these TLDs. And like I said, a lot of these can be legitimate domains that are under these new TLDDs. A lot of people use it because it's cheaper or sometimes it's even free to register a domain using

this TLD rather than.com. But you see the spike of activity as soon as a new TLDD is introduced. A lot of people are scrambling to register domains. Some of them very legitimate, but ultimately it provides a lot of cover for threat actors to um use malicious TLDDs under uh this cover. Uh so this could be a good lowhanging fruit for some automated blocking. We'll get into that later in the example portion. But uh the other uh final kind of takeaway I wanted to bring in from the yep from the impact of high publicity or sorry from the domain tools investigation report is the impact that we're seeing in high publicity events like in California right um you probably

saw a lot of conversations about the wildfires and um it's no coincidence that threat actors are utilizing this and taking advantage of it as well. They want to subvert your trust and use high emotional uh and high publicity events to invoke some kind of emotion, lower your guard and uh you know be more likely to do harm and hunt you. But the thing about here be dragons is that dragons can be hunted too. Uh so with adversary infrastructure analysis, we can find out more about who might be targeting our organizations or um ourselves personally uh and know about more to monitor for. So I'll introduce like two catches of the day uh of how I

found this in the wild. So one that I found was a Instagram. So I did a search on support, right? I was looking for domains that match support. My theory was that um a you know thinking about that email supportloin.com. There's probably going to be a lot of different um domains related to the idea of support and trying to get you to you know fork over some credentials whether it's a crypto wallet or here seen here like Instagramup support-e.com uh and now as you can see that's what the screenshot of that domain looks like and um we saw some connections also with support domain for crypto.com support-online um Instagram support.com like we talked out, but then even FDIC.UP support. So,

it seems like um this has been a tactic that thread actors like to use. And the problem with waiting for it to occur on a block list is that you can find that it might not be on the block list. Block lists will rely on observations to be known in the wild, which require people to get hurt in the wild. And also, some threat actors have domains that are just for us. So um as you see like uh no one flagged this domain yet and often times threat actors are monitoring these block lists like all 97 of the ones um that rated it as zero and once they see their infrastructure on there that's their

sign that it's time to uh get out and uh you know cover their tracks. So, if you can find infrastructure while it's at a zero, you're going to be a lot more uh likely to make more connections and uncover some adversary infrastructure. And uh so here's another example of a domain I found, trustwalletup support.com, and it had a screenshot that tried to get, you know, crypto identification to. So, you can see that like there's some clear intent behind it, and you know, I wouldn't necessarily recommend visiting all of these different websites. um you know maybe you could use like a virtual machine or something but um there's oftent times uh also tools you can use where you can

just do some web scraping and not have to engage with it yourself but wanted to put that disclaimer in there and then passive DNS resolves to show those changes over time but as you can see in that second row mail trustwallet.com there's clear indication that they want to use this for fishing activity. All right. So, um, another tool that's, uh, really good to use to not just like I know this is the blue team track, uh, but this is a really good tool for red teaming if you want to, you know, test organizational resilience and, uh, work within Kali Linux. Uh, recommend taking a look at Spiderfoot to get more, uh, data and full visibility and then configure your

own SIM to prioritize domains. Right? So this is how I have my Splunk set up, but you can do this on your cribble, on your nextG SIM, whatever the hottest SIM out is right now, and make a similar approach where you're prioritizing data. So I'm focusing on young domains and then I'm trying to find domains that might be exploited and then newly observed domains. So anything that's under 48 hours old, there's no reason I need to interact with it. Now, not all um young domains are bad, but a lot of bad domains are young. So it's just better to operate with um kind of that caution and you can automate a lot of these in a sore. So this is using it

through cortexor for an example. Um and then different patterns that you can uh think about when you're looking for different anomalies that would indicate potential threats. But point is try to configure a lot of the tools that you're already using with DNS at the forefront. Uh so then let's take a look at passive DNS. Right? I um did a search on a IP address and uh used passive DNS to find other domains that were associated to it. And by using regular expression uh on this care-home.co domain, uh I found a lot of gnarly looking subdomains with a lot of different record types. And you can plug in these patterns. Uh I correlated these findings by plugging in these patterns

into co-pilot. But if you have chat GBT cla I know my CISO is probably wanting to ring my neck right now but uh you know we won't use it with our devices uh we'll only use our approved devices but if you use it on your personal device like you can probably get a lot of these results on GBT and cloud right now too. So um as you can see after doing some regular expression you see that it resolves to a whole lot of mail servers which you know you have your idea of passive DNS as a connector but then also you're seeing that it's connecting to a lot of mail domains with kind of suspicious looking strings on them and

that can help you provide more context that maybe this isn't exactly the most reliable infrastructure that we want our devices to interact with. So what I want to do now is revisit that oh snap moment uh where we saw our data being exfiltrated and had to answer a lot of questions right um if you're thinking about DNS and you have a lot of your uh existing tools or you're just kind of um tool limited and you're configuring it with DNS at the top of your mind you can make connections from the domain that is being excfiltrated in an instant response use case to discover a lot of other domains related whether it's in your SIM or however uh you're

kind finding those threats and you can now reduce dwell time and find other lowhanging fruit to block but make other connections. So it it's a great way to find lesser thought about connections and uh take the pressure off of you and put it the adversaries back on their toes. So um let's recap with some lessons from Westeros. Um dragons are scary but you can stand up to them. If you've watched um a house of dragon, you saw that, you know, one of the most powerful characters on the show, Damon Targaryen, he kind of got humbled by this little kid from House Tully, right? If we're the fish, we can go and hunt for dragons, too. If you've uh watched

the other guys, you know, maybe we've just developed a taste for lion, and now we're working together. We're information sharing. We've developed an apparatus. In 3 days, 3 weeks, we're going to go out and we're going to get a taste of lion. We've decided lion tastes good. So use that power is power and reveal that unknown infrastructure and fight back. Um the benefits of course you've got context, you've making more connections and you have the confidence that what you're seeing um is a priority and that you're acting uh more proactively and that you can discover more. So if you're a new uh person to um information security or you're new to the sock, hopefully you're finding a

great way to get started and become more efficient. And then if you're experienced, hopefully this provided another perspective that you can take. I really encourage everyone to check out the domain tools investigation report. So reach out to me and I'll email it to you and um you know I would love to see how the discussion gets built on and what other uh techniques we find to continue to be resilient against their actors because as I gave this talk 6,000 new domains were registered and a tenth of them were malicious. So uh the badness is out there and it's time for us to get hunting. Uh, feel free to ask any questions and, uh, thank you so much. Um, feel free to

reach out to that email if you want the investigations report. I'll send it to you and then that'll be the last that you hear from me. Um, and we'll be good to go. Well, that was a fantastic thought. Thank you, Malachi. Um, we do have a question already in Slide. Oh, nice. Uh, so I will read that off first. If anyone else has questions, please submit them using the QR code right there and I'll read them out for you. Uh we got another minute or two before we have to move on to prepping for this. Okay, I'll try to answer this quickly. Yeah. Uh how if any um that uh who is privacy reduction efforts affects all

the data that you use for threat hunting? Bit of a broken the data that we use. So we use who is and our DAP data on our research team uh for threat hunting. And so um I think that using the historical context behind it can still be incredibly helpful. and a lot of people um aren't necessarily turning off their servers and they still are kind of resolving there. Uh so we're still getting a lot of information on the who side too. Uh but looking back in time can be incredibly helpful too. And then if you see like redacted for privacy if that was the question um for uh the domains that you're interested in. Sometimes you can still see what

name servers they're using. And so if you see one brand is using GoDaddy to um register um all of their domains and subdomains as of recent in the last month and then you see a new domain that's using like Hostinger or NameCheep, then chances are those ones are not related. Um so it can require a little bit more creativity. Personally on our research side, we've been able to work around it and passive DNS has been helpful at making those connections. But um yeah. All right. Uh that's all the questions I have right now. We have time for one more if anyone in the crowd wants to raise their hand and take one over here. How much are you acting on this

intelligence and how much of that are you? The question is how much of this intelligence are you acting on and how much are you automating? So me personally, I'm not acting on any of it. uh I'm kind of sharing the findings from our research team. And so I'm more doing it for like a um like presenting this information and trying to uh give you all something else that you can act on and automate. Um but if you want to talk to me afterwards, I have some people from our research team and they can kind of tell you how that breakdown works. All right. Uh that is all the time we have for Q&A in this

theater. Uh sounds like Malachi, you'll be uh up in the lounge later. Yeah. Yeah. feel free to catch up with him then. Thank you everyone for attending and thank you again for the fantastic talk.