
Improving SOC Workflows with Cybereason Role-Based Incident Response
The Cybereason Defense Platform offers multi-tenancy capabilities to enable SOC teams to divide workflows based on roles...
Uri Sternfeld
While hackers can use many methods to infiltrate a network, every malicious operation contains some essential components, such as establishing command and control communication between the attacker and the compromised network.
Adversaries are increasingly turning to domain generation algorithms (DGAs) to remotely communicate with the sophisticated, malicious tools they created. Hard-coded domain lists and IP addresses, once popular with attackers, aren’t as appealing since both are useless once discovered and blocking them is easy.
DGAs, on the other hand, are a near perfect communication method. They’re easy to implement, difficult to block, almost impossible to predict in advance, and can be quickly modified if the previously used algorithm becomes known.
Current security solutions really aren’t capable of handling DGAs given the massive number of domains they generate. Gameover Zeus, for example, generated 1,000 domains every day, or 365,000 in one year. Attempting to block these domains would strain firewalls, network-filtering products and other security tools.
Law enforcement and government agencies have attempted to shut down these domains by going after their registrars, as seen in Operation Tovar. But even these efforts weren’t completely successful. In the case of Operation Tovar, the FBI was unable to take over domains registered under the Russian TLD. Additionally, accessing the TLD name servers meant spending huge amounts of time money to obtain a search warrant.
Instead of undertaking the Sisyphean task of fighting each DGA variant, a better approach would be to look for common techniques used by DGAs. Just detecting a DGA incriminates a process as malicious since no legitimate process will ever use such a technique. This is part of the Cybereason’s aikido approach to security: a method that uses the opponents’ strength against them. The more adversaries try to hide their activities, the more suspicious they appear. Eventually, they run out of places to hide and techniques to avoid detection, allowing the defender to discover the attack.
Out of the dozens of DGA variants Cybereason detected in our customer’s environment, Cybereason Labs dissected eight of the more interesting examples.
Uri Sternfeld is the research team leader at Cybereason.
Over 15 years of experience in software design, programming and technology research. Experienced in cyber-security, computer networks, client-server architecture, web-crawling, data-mining, automation and reverse-engineering
The Cybereason Defense Platform offers multi-tenancy capabilities to enable SOC teams to divide workflows based on roles...
The MITRE ATT&CK evaluations test security vendors’ ability to quickly detect and stop tactics and techniques used by today’s threat actors. In this webinar, we strip down the complexity of the MITRE ATT&CK framework so your organization can leverage it for success...
The Cybereason Defense Platform offers multi-tenancy capabilities to enable SOC teams to divide workflows based on roles...
The MITRE ATT&CK evaluations test security vendors’ ability to quickly detect and stop tactics and techniques used by today’s threat actors. In this webinar, we strip down the complexity of the MITRE ATT&CK framework so your organization can leverage it for success...
Get the latest research, expert insights, and security industry news.
Subscribe