RBN RELOADED - AMPLIFYING SIGNALS FROM THE UNDERGROUND presented at blackhat 2017

by Dhia Mahjoub, David Rodriguez, Jason Passwaters,

Summary : Threat intelligence gains immensely in clarity and precision when signals intelligence (SIGINT) and on-the-ground human intelligence (HUMINT) work closely in tandem. This fusion offers the best opportunity to build real visibility into an adversary's TTPs, intent, sophistication and composition. As a result, a deeper understanding of the adversary not only leads to better decision making to mitigate the threat, but also helps to proactively exploit pain points and have a longer lasting impact.
In this talk, we will illustrate how we use the network- (SIGINT) and actor-centric (HUMINT) approaches, in much the same way SIGINT and HUMINT have contributed in the fight against terrorism, organized crime and the drug trade, to proactively expose key information about sophisticated bulletproof hosting (BPH) operations that have been enabling long-lasting and lucrative cybercrime campaigns.
We will be showcasing the results of combining both approaches by highlighting details of our research into a top tier Russian BPH service that has been supporting the full spectrum (banking trojans, phishing, ransomware, etc) of cyber criminals since at least 2010. The talk will highlight key findings such as networks/ASNs, the service's history across the underground marketplace, and relationships with other bulletproof hosters.
We will also describe a new large scale integrated methodology that combines both the network- and actor-centric approaches to track, expose and disrupt crimeware. This system is built to offer the capabilities of a search and recommender engine. The network-centric component is powered by worldwide DNS and network data that is ingested, processed and indexed at Internet scale. The actor-centric component is facilitated by exclusive access to closed underground forums, marketplaces and threat actors/groups.
Given initial intelligence from the actor or network perspective, we show how we use the search and recommender system to amplify seed signals and cast a much wider net on a richer set of crimeware assets: malware C2s, dump shops, criminal forums and jabber servers, rogue VPN and proxy services, stolen accounts shops, etc.
This talk will be beneficial to a wide audience including threat intelligence analysts, security researchers, big data engineers, investigators, and decision makers.