Domains of Grays - Eric Rand

good morning everyone happy to see that at least some of you are here uh so yeah domains of graze just a really bad pun you don't want to know why so who am i i am the complete insane person who came up with this basic concept nick here is the guy who actually made it usable couldn't have done without him nick is in the program but he didn't submit his bio until like two weeks after the programs were printed or something so hey you want to introduce yourself at all no you're good all right so the basic concept here that we're working with is your standard phishing attack so i'm sure if any one of you

opens up your email right now you'll see something trying this this is very common you have your basic idea where someone tries to fish you they include a link hey you need to reset your account information or whatever some pretext in order to get you to go to their website and fill in the information that they want to steal from you this is incredibly incredibly incredibly common and really it's been endemic for years and years and years now i'm sure that everyone knows or knows of someone who's been victimized by this particular kind of attack this is the this is the bog standard uh vaguely social engineering vaguely technical attack and me quite frankly it pisses me off

just because there's no reason why this should still be working it's incredibly obvious if you take the time to look but unfortunately most users don't take the time to look the problem here is that training is really ineffective most the time i'm sure that any one of you who have worked in in military or corporate i are very deeply familiar with the information security training that tells you to evaluate emails and not just blindly fill things out but unfortunately well it just doesn't happen that way no this is your slide you already keep it done no you don't get it fine fine he's shy uh so small and medium businesses are really heavily affected by this that the

large enterprises large corpse they tend to have some resources to at least mitigate this or people to clean up after it happens to them uh small medium businesses they don't really have the budget for continual training remedial training remedial remedial training how many layers deep do you want to go with that yeah it's it's just it's horrible it if fishing keeps working um and all your red teamers out there you know this very well and it seems like nine tenths of the time when you hear someone who's red teaming talking about what they did to get into a given network it starts with so i fish them and then it's the gateway it's it's your gateway hack except it's

not really a hack is it it's just social engineering obscured slightly by a little network happiness so ultimately fishing keeps working like i said this pisses me off so let's uh let's take a look at some of the existing ways that we try to counter fishing yes that one's yours

all right some of the usual ways we do it is mail header rewrites um we can call out emails as they come in but uh yeah we actually expect people to notice that and do something about it uh but oftentimes they don't uh we have spam filters which uh they partly mitigate it but sometimes especially in smb if you're actually running your own spam filter like it is not the best of situations uh you're still going to get these coming through we have blacklisting which is for the most part unaffordable for small businesses it's not the easiest thing to get running it takes a while yeah and if you don't already know what's coming blacklisting doesn't help

uh and then we have whitelisting which also hurts it really hurts because who do you know you're talking to until you know if if you ever want to talk to someone other than your current customers white listing is really not going to do much for you yeah so most businesses want to expand at least a little bit hopefully so this is one of the common reactions that we see uh people get frustrated it's it's inevitable that people really really hate how often fishing works and in the time between when you notice even a good systems administrator when they notice that phishing is coming in they end up having to race to block their own people's access to it

and it it it's obvious that this is not just a problem for your company other people are getting hurt by this and you know i i'm dedicated blue team here yes i am the sworn enemy of all you red team people even if i do like you socially but ultimately there's there's a very deep level of frustration on the defensive side because it just keeps happening it's going to keep happening it takes way too long to get them taken down even if it's only a couple hours before they're taken down that's too long people take only a couple seconds to click and start entering information that's harm we want to minimize that so let's let's analyze

how these these phishing campaigns work a little bit let's take a good solid look at what kind of system they use what do they depend on to do their work so we have logistical requirements phishing can't happen without some kind of server for the victim to get to it's usually a website it may be co-opted infrastructure my my three years deadblog.blogspot.com or something like that someone's dc forum or whatever that's been compromised or they may well just rent a vps in estonia or latvia or some other place that doesn't have extradition with the u.s bulletproof hosting in in the netherlands there's a lot of places you can put this but you need time and effort to acquire

it and you need some kind of means of running it because as much as as much as these guys are on the attack this kind of basic infrastructure makes them kind of defensive if you will it gives us a way to attack them you can have them taken down by legal means or you can have the as blacklisted for routing purposes all sorts of good things you can do but ultimately the challenge here is to figure out they're in there they're not in this just for the lulls usually they're in this to make money the credentials they're harvesting gets sold or used elsewhere and in some fashion that is profitable to them so if we can make their expenses go up

and if we can make their profits go down as a result this harms their business so keep that in mind a little bit uh like the grug says attackers have budgets too that's that's a real key concept to keep in mind here so how is it when you get a fish that your user ends up actually getting to them so the fish has to hit your mail server which spam filtering does help somewhat here and the user has to go and click on the link even though we tell them not to they still do it so when the user clicks on the link what happens here the the the browser opens up it fills in the information

from the link it fetches dns finds the server goes out there hey wait a second here it fetches dns your users workstation has to resolve the attacker's domain that is something you control and this is why password managers for instance uh password managers don't get fooled by this because your typical password manager here is something that is it's relatively simple it looks at the specific page that you're going to and it looks at its database and says okay i have this credential entry associated with this particular page so in this particular case it's not going to get fooled now it may look just like your bank's website it may look exactly pixel perfect they may even have not put

in a typo but if the domain isn't the same your phishing is not going to work on a password manager so the problem here though i would love to have absolutely everyone run password managers it's a beautiful thing it solves so many problems but unfortunately there's a lot of distrust of them there's a lot of people who are very very deeply suspicious especially of the the cloud-based ones that they consider that to be an unacceptable risk to them now personally i'm of a mind that the risk that they ameliorate the risk that they solve is orders of magnitude larger than the risk from any individual password manager getting breached but that's an argument for another time

and what's worse though is there's a lot of folks out there banks especially are notorious for this who make it their they do their level best to try and mess with us they they throw in stupid javascript to block pasting or if you paste something they'll just immediately delete it and it's if you if you call them out on this if you say hey guys you're blocking password managers they're like yes but it's for security reasons for security reasons they they block the thing that keeps people secure okay so the the problem here is i can't go and control them i can't control my bank deciding for security reasons we'll just block pasting can't do that

but what we can control is the dns on our end and that's something that uh that we'll get into in more depth a little bit later but the thing to remember is there are things you can control there are things you can't and if you really want to be effective you have to focus on those that you can now a little background here um i love blacklists i really love blacklist blacklists are my friend and if you follow me on the twitters or something you'll see me talking about this all the time how dns blacklisting is a really great ad block measure just because all these ad domains they're really reasonably well known and if you want to get rid of these ads if

you want to keep them from even showing up you can re redirect your local dns to sinkhole them this gets a lot of fun it breaks a lot of things and interestingly enough causes some anti-ad-blocking scripts to get upset but unfortunately blacklisting is reactive it's expensive to do it's expensive computationally in some cases uh but it it just doesn't work until you know that the threat is there but an interesting thing about this particular threat uh early in the 20th century back around 2002 2003 uh phishing domains and other related scam domains they tended to be live for about a week we've done a lot towards getting those taken down in the past 15 years

and as such these days most of these fishing domains only live as of 2014 for 24 hours so this gets to the point where we can practically do something we've narrowed the window that they're allowed to operate in and now let's narrow it a little bit further phishing is very much a shortcon they are in it to win it yes but they only have a narrow window of opportunity to do so everyone is trying to get rid of these guys and they know it and they have adapted they move faster the whole move fast and break things thing works really great for these guys because that that fits their business model these are not your your your suave

scammers who infiltrate and and schmooze and eventually run off with the whole casino vault these are the hustlers on the street who are doing in more or less a gentle mugging they are only interested in interacting with you for as long as it takes to get your information they're not invested in this they just want to grab and dash so keeping that in mind keeping in mind the very short window of opportunity that they have to do anything keeping in mind the pressures that they're under and keeping in mind that there are aspects of their workflow that you control here's the core concept if you can control your dns and if you can keep things that are

suspicious from resolving long enough and phishing stops working if the if their page gets taken down or abandoned or otherwise left off after that 24 hours and you've delayed resolution on your network for that 24 hours phishing no longer works this is a way to block their window of opportunity they can't work with that so and you're up next here there are a few prerequisites you're going to have to actually control your infrastructure so in your network if you're allowing dns to resolve just straight through to the internet it's probably not the best thing um what we did is we wrote a small program that sits there in between your actual dns resolver and looks at

the time window when things were requested basically you want everything to go through it it's probably the easiest way uh just egress filtering too what's it ecrus filtering yeah 53 needs to be uh filtered outbound because if you can't let things just hang out going out to the internet by themselves uh funny little anecdote a particular client i was working with uh had not yet implemented egress filtering they found out that their sprinkler controller was requesting dns from russia so that's that's not usually what you want for a sprinkler controller unless it's so that really heavy chernobyl water you need that right yeah anyway standard network controls um you want to put the gray lister in front of your dns

you really want to make sure everything resolves through that let's see this is definitely a proof of concept yeah i would not run in production yet but um yeah we have a proof concept that runs great listing with blacklisting support whitelisting support basically what we've done is we you point your dns resolution to it and if we don't know what it is we're just going to point it at i guess a predefined ip yeah you can configure it uh we're defaulting to localhost just because that's the stupidest and laziest way to do it but if you have for instance some kind of internal infrastructure that you would like to use in cases where you'd like for instance

to interface with the help desk or what have you you could easily point it to a local server on which you have some kind of landing page that will accept whatever and say hey this has been gray listed talk to your help desk yep and also um let's keep in mind that uh this being a proof of concept these things do evolve and change over time uh it is something that needs extensive baselining in order to work because as you found out uh like google authenticator had issues with it because it flips through a whole bunch of domains during its request process baselining it is something that is either you're going to have to just keep

on making requests or if you want to you could for instance throw a span or a mirror port off of some local network device or just ip tables with a t and throw your your dns traffic over to it for a day or two before you actually put this in line uh and that would enable it to baseline your network into its uh its database uh further you're going to want to populate the white list with your local domain because the the nature of this is such that we want to resolve any whitelisted entries immediately without having to go through the trouble of evaluating whether we've seen it before so whitelist blacklist greylist whitelist your local stuff any people you know are

good blacklist if you really don't want to see something we'll just reject it greylisting well that's where we're doing other fun things yep yeah basically if you can monitor your stuff and put it in there first kind of pre-warm it then everything will run a little bit better uh we do have drawbacks though as mentioned earlier you actually have to run everything through it uh if everybody's resolving their own dns who knows what's going on you have to have one centralized point for it uh and yeah as mentioned some of the single sign-on stuff sometimes breaks because they push you through a couple of different domains to get that working but pre-warming it allows that to be mitigated

once should fingers crossed once all the domains are populated into the gray list and they've aged enough to be allowed uh it tends to work out really well uh and as it happens we've set a default uh blackout date of uh what was 180 hours i think sounds about right is seven days essentially so if you've hit it within the last seven days it continues to persist within the gray list that's the basic notion so if it is something you keep using then it will stay live if you stop using it if for instance you were associating with a given company that company goes out of business then after seven days or so after you stop going to that company's

website uh it stopped it falls out of the gray list which is pretty handy because there have been instances where companies have gone out of business and someone else has grabbed the domain after it expired use the now familiar domain that's probably still white listed in a lot of places and proceeded to fish people for all sorts of gain it's a fun attack um also there's the whole graylist part that you know we actually are doing yes after 24 hours i believe by default is when we actually resolve things right there's the initial gray out period of 24 hours uh where in the first 24 hours it's going to resolve locally or not resolve it all depends on how you

want to set it up and that that 24 hours to seven days window is is essentially the active window and as mentioned if you keep going there it's going to keep essentially sliding that active window to seven days in the future um yeah and then probably the worst thing we've noticed in testing things like reddit are just really gonna break because you're just popping up different domains all the time and most business users are only going to be visiting a handful of domains at the time though i mean you're for business for business yes if they're if they're surfing reddit on business networks well maybe they deserve a little pain so as it happens we'll we'll expand this a little bit now

because other things break because of this some of them usefully botnet cnc is one of those hilarious things uh i'm sure you're all familiar at this point with all those love of lovely domain generation algorithms all the fancy botnets used these days uh where in order to keep their cnc agile their command and control they can't keep their cnc's staying on one domain everyone is hammering it trying to get rid of them through legal means or otherwise so they dodge around a lot but that's an opportunity for us because since they're flipping through domain names at a rate that's entirely too fast for for black listing this means that their domains don't persist long enough

for a gray list to allow them so botnet cnc is going to stop being effective if your network is protected in this fashion uh so that it it it gives some interesting second order side effects and there's the typo squatting there's another one uh i don't know if you all recall but there's uh there's that lovely controversy that came up recently where someone went and typo squatted a bunch of code repo domains and proceeded to uh the thing that was controversial was that he went and put a generic script in there that popped an error when you downloaded that script so typo squatting works because people people don't always enter in the correct domain but

as with the uh as mentioned earlier with the password uh managers the machine's a little bit dumb the machine just gives what it's supposed to give and we can take advantage of that so if you fat finger github or whatever then it's not going to be effective it will resolve locally you'll notice your script breaks and happiness ensues i think the best ones where you can't actually get the kryptolocker key because it won't resolve that one's fun and actually that fits into the next thing this is a slide that uh stulgarian passed me from a presentation i think it was trend micro down in australia was giving a couple weeks ago uh the lines the horrible lines are mine

that's not their fault but their analysis of ransomware delivery uh shows some interesting ways in which you can control whether or not these things succeed so obviously with the malicious url if you can't visit the url immediately generally a phishing tyback attack then that's going to stop the lovely downloaders because you know apparently we need javascript and email these days which i think is a terrible mistake and should never have been implemented but then again i'm a boring person those lovely javascript downloaders in outlook and the preview pane and all that kind of other happiness won't resolve and the attack's not going to work likewise if someone does get full on ransomware like you said

it can't communicate back to the mothership it's not going to be able to manage the full handshake now there are a few variants these days that use a generic key but because these uh these ransomware authors are are lazy as well they have shared their generic key for any system that does not resolve the command and control system which there's another weakness there's something for you to exploit so in a way this this is this is kind of interesting how many second order effects we're getting out of this uh gray listing thing and there's a lot of other areas that we could work with this is just a very basic a admittedly the simplistic uh

concept we're working with but the generalized approach is by controlling your infrastructure you can defuse a lot of attacks you have to consent to being attacked i mean if you never hook up your computer to the network no network-based attack's going to work but you have to do that you have to hook up the computer to a network to actually do business so we get trade-offs so if you do this kind of control you're allowing yourself to dictate to the attacker under what conditions they are allowed to engage and that there that is is a very strong defensive measure because now the attacker has to put a lot more time and effort into attacking you

than they would otherwise they can't use the low bars they can't use the low-hanging fruit they have to put in extra effort and that alone dissuades some of them the others who are actually dedicated to attacking you are forced to use more sophisticated methods they'll have to figure out some way to get around the gray listing on your end there are a couple of obvious things some of which we are addressing uh naked ips for instance you're going to have to make sure you've got squid or something filtering those out uh there's a fun little regular expression horror thing that allows you to do that um but dictating the pace of the attack means that you have more time to respond

to the attack you can take more measures and something which i didn't include on the slides but is definitely in there logging we have the provision to write logs that tell you what is going on if you see in your logs a whole bunch of initial gray listed uh attempts by a whole bunch of computers on your network you know something's weird if you see that a whole bunch of computers belonging to the finance department uh are suddenly hitting a gray listed entry it is highly likely there being fish trying to get your bank account credentials that kind of thing uh likewise spearfishing of your executives that's going to show up in the logs so we have the logs available and it

breaks them up as to whether or not it's a loud gray list a forbidden gray list a blacklist or white list so you have that visibility into what's going on into your network which is a lovely tool i don't know if you've ever tried to analyze dns logs from active directory before but it's not very easy it takes a lot of time and effort and it's really annoying so and i guess i've been speaking a little quickly because we're already to the payoff here's a repo here's a tool for you uh it's very definitely proof of concept and we would like a whole lot of feedback we want people to try this out on their networks

we want to see how well this performs in real life and if you want to give us some contributions to make this work better please i'm a terrible coder he's much better than i am definitely i fixed it up as much as i could so he took my horrible nasty awful frankly awful proof of concept and and made it into something vaguely acceptable sorry for the handicap and we would really like to see this go out into the world where it's open source feel free to take it and use it as you will feel free to adapt it to other things uh personally i would like to see integrated into something like pf sense or other similar uh distributions of

that sort because it would work well within that kind of suite and if you have any suggestions on how to improve this how to make it work better i am all ears i am more than happy to take your contributions to take your criticism uh to take any suggestions and see what we can do about making this better i'm actually just curious what happens when you run it on a full yeah we we'd like to see bigger neither of us has a real big network to play with so seeing how well this scales is going to be an interesting interesting challenge so there's your basic concept and if any of you have any questions i would love

to hear them

latency so that's that's a killer question right there um that a little bit and it's pretty much the resolution of the one machine and then the next one so if you're doing resolve conf which is the default um i think it's like it's whatever pretty much your network latency is basically doubled because it's going to go out and try and grab the next uh the next response so it's more in the order of milliseconds than minutes yeah well i mean if it's great listed it's going to be more on the well yes if it's great it's going to be a day but okay so for some networks blocking uh dns outcome might break a lot of stuff

so what about uh the idea of using dns mask or some kind of transparent dns proxy to filter all the requests through the arraylist uh that is so this is essentially a dns proxy uh in and of itself uh it's it's a very simplistic one and it's really more of a filter than anything else but uh yeah it's we're not looking to block all dns outbound i couldn't find a way to do it in dns mask so and dns mask didn't let us do it so yeah here's how we're doing it i have kind of a similar question it's um do you integrate with or leverage response policy zones in mind and if so why not did you see

a weakness in it or a problem with it if we don't have it in our lists then we're just going to resolve it to bind pretty much for the first part of that um but you can talk about the weaknesses and stuff when you talk about volume and performance and scaling um our rpg we've seen is a really good crutch to rely on we see networks that resolve you know millions of domains of the shot and when you implement rpg you might take like a ten percent

a small look at that i kind of got rid of it afterwards because it looked like it was just a blacklisting thing no yeah it didn't look like it it fit the problem when i was doing the research so i could be wrong this could be something that a clever bind configuration could well solve but hey let's uh let's try it out anyway uh any other questions no well i want to thank you all for being here i thank you for hearing me blab away for a little shorter than i was scheduled i guess uh

that that was that was not a a uh a condemnation of estonia i was just looking through eastern european countries in my head and that was one of the ones that came up my my my apologies if i offended the estonian community

but uh i'm sure it's a lovely country i've just never been there all right anyway uh my thanks to all of you for being here and for listening to me blab on and on my thanks to all of you who i harassed into coming here and who actually did and uh if you want to find me on the twitter uh you can find me at munin uh if you want to talk to him you're probably gonna have to find me first because he doesn't hang out there good luck good luck uh i am on the pure list uh deal so if you want to uh go to our lovely uh post convention discussion sponsor person at peer list

uh you'll be able to find me there and we can continue the conversation there uh or you can always catch me after the talk and i will be wandering around although if you are not scared by my horrifying socks then you probably should be it's great to see all and thank you for coming