Copyright 2009 Trend Micro Inc. Talos: Building World-Wide Domain Reputation Ray Liao ([email protected]) Jerry J Wu ([email protected]) Trend Micro Inc. 06/21/2022 External
Feb 23, 2016
Copyright 2009 Trend Micro Inc.
Talos:Building World-Wide Domain ReputationRay Liao ([email protected]) Jerry J Wu ([email protected])Trend Micro Inc.
04/22/2023
Talos . External
Copyright 2009 Trend Micro Inc.Classification 04/22/2023 2
Copyright 2009 Trend Micro Inc.
Types of Analysis
04/22/2023
Talos . External
TALOS
Copyright 2009 Trend Micro Inc.
Goal• Comprehensive domain reputation
– High risk domains– Legitimate domains – Not compromised sites
• Rate by intention
04/22/2023
Talos . External
Copyright 2009 Trend Micro Inc.
How?• Domain Snapshot• Domain History • Analysis
– Identify classes of event worthy of investigation. – Identify domains associated with suspicious events.
04/22/2023
Talos . External
5
Copyright 2009 Trend Micro Inc.
Sourcing• How to get a whole picture, domain-wise?
– No single type of sourcing is perfect (legal, anonymous services, etc…)
– Combination of various types of data sources – Observational data.
04/22/2023
Talos . External
Copyright 2009 Trend Micro Inc.
Building the network structure• Organize domains by
– Structural relationship– Custom defined.– Indexing for fast lookup.
04/22/2023
Talos . External
Copyright 2009 Trend Micro Inc.04/22/2023
System Architecture
Talos . External
Copyright 2009 Trend Micro Inc.
Static Analysis• Analysis based on a single snapshot of world-
wide domains– Analysis by keyword– Analysis by structure (relationship)
04/22/2023
Talos . External
Copyright 2009 Trend Micro Inc.
Keyword analysis• Phishing attack
– Masquerading as other trustworthy entity.– Similarity to the object of the masquerade
• Content • Domain name
• Template generated disposable domains
04/22/2023
Talos . External
Copyright 2009 Trend Micro Inc.
Static Analysis – Example (1)
04/22/2023
Talos . External
Copyright 2009 Trend Micro Inc.
Analysis by relationship• Form follows function
• Reuse of the existing network structure– Business reuse infrastructure– So does bad guys – Most attacks are not alone
• Observation– Good guy: likes repels likes– Bad guy: likes attract likes
04/22/2023
Talos . External
Copyright 2009 Trend Micro Inc.
Static Analysis – Example (2)
04/22/2023
Talos . External
Copyright 2009 Trend Micro Inc.
Static Analysis – Example (3)
04/22/2023
Talos . External
Copyright 2009 Trend Micro Inc.
Static Analysis – Example (4)
04/22/2023
Talos . External
Copyright 2009 Trend Micro Inc.
Dynamic Analysis• Analysis across multiple snapshots
– More complex than static analysis– Type of change (from X to Y)– What is being changed (value)– Rate of change– More
04/22/2023
Talos . External
Copyright 2009 Trend Micro Inc.
Dynamic Analysis – Example (4)
04/22/2023
Talos . External
LCS Domains Rating Registrant Date[item] ideaitem.info. Malicious George --- 4/24[item] itemgroup.info. Malicious George --- 4/24[item] itemhosting.info. Malicious George --- 4/24[item] itemmusic.info. Malicious George --- 4/24[item] propertyitem.info. No Rating George --- 4/24[item] youitem.info. No Rating George --- 4/24[item] ideaitem.info. Malicious George --- 4/24[item] imageitem.info. Malicious George --- 4/24[item] itemgroup.info. Malicious George --- 4/24[item] itemhosting.info. Malicious George --- 4/24[item] itemsoft.info. Malicious George --- 4/24[item] propertyitem.info. No Rating George --- 4/24[item] youitem.info. No Rating George --- 4/24[yahoo] coolyahoo.info. Malicious Dorothy --- 4/24[yahoo] dotyahoo.info. Malicious Dorothy --- 4/24[yahoo] lifeyahoo.info. Malicious Dorothy --- 4/24[yahoo] www.yahooauto.info. Malicious Dorothy --- 4/24[yahoo] yahooblue.info. Malicious Dorothy --- 4/24
Copyright 2009 Trend Micro Inc.
qebinehuh.com
Classification 04/22/202318
Copyright 2009 Trend Micro Inc.
Some Statistics about Talos • 9 billions of domain related records as input per day• 4TB of domain information in the past three months,
in which 1 billion domains are involved and been frequently accessed
• 1 million domains identified as white-listed domains– Refreshed daily
Classification 04/22/2023 19
Copyright 2009 Trend Micro Inc.
Questions?
Classification 04/22/2023 20
Copyright 2009 Trend Micro Inc.
Thank You
Classification 04/22/2023 21