On Thursday OpenDNS announced two new data science models that detect clues to an attack, and then find the attacker’s entire infrastructure. The first model titled Spike Rank (SPRank) detects spikes in network traffic using mathematical concepts that are often found in sound wave analysis, the same methods music services like Shazam and Pandora use for analyzing song patterns. The spikes SPRank finds, which indicate an attack or use of an exploit kit, then serve as fingerprints or clues for further detective work, often starting by finding a single IP address or domain currently exhibiting suspicious behavior.
Finding one bad IP address or domain is a start, but attacks rarely if ever employ only one domain or IP address. And the ultimate goal for OpenDNS and its security team is to find and stop attacks before they do damage. To do so, you have to find a hacker’s entire infrastructure — all the IP addresses and domains a hacker could and probably will eventually use in an attack campaign. OpenDNS Security Labs researchers have also developed a way to do this, even if those domains and IP addresses haven’t been used yet.
Predictive IP Space Monitoring, the second data model announced Thursday, specializes in rooting out all the related IP addresses at a hacker’s disposal using fingerprints and clues from SPRank. OpenDNS Security Labs Technical Leader Dhia Mahjoub and Security Researcher Thomas Mathew presented both models at BruCon and Hack.lu. For more information on how they work, see the OpenDNS announcement here.
To understand better why these models are effective, it’s worth first understanding how hackers go about setting up an attack.
The Hacker Economy: How Hackers Shop ISPs
For hackers, the criteria for hosting companies and ISPs are strikingly similar to what any cloud company would use, with some distinct differences. One of the first priorities in setting up a new exploit kit is to get some IP space for the operation. Often it’s more beneficial for hackers to look outside the US, as hosts in Russia, the Czech Republic, Belize, Switzerland and other European and South American countries have laws that may be useful in keeping the hacker’s identity and operations private from law enforcement.
To rank the viability of an ISP or hosting service, it’s important first to answer questions like: How easy is it to set up? Are the product features diverse? Does the host guarantee uptime? And, perhaps most importantly, how responsive to law enforcement and user complaints are they? Will this host drop an IP address or domain immediately, or warn a customer (hacker) beforehand about complaints of abuse? With a good candidate chosen, it’s time to get some IP space.
Hackers buy in bulk. Domains and IP addresses are mostly inexpensive and easy to set up, which is very handy because exploit kit owners tend to operate under the assumption that any IP address or domain with which they are serving an attack can be taken down or blocked at any moment. Discovering patterns in these setup methods led OpenDNS researchers to creating methods of fingerprinting bad places on the Internet. The fingerprints are based on a number of characteristics including the IP addresses themselves, the companies that host them, the ASNs involved, registration info, information about the specific version of services like SSH and web servers running on the IPs, operating systems used, and a number of others. Combining all this information leads security researchers like Dhia Mahjoub at OpenDNS not only to the IPs and domains used in an attack, but all the others that are owned by the same hackers, hosted on the same infrastructure, and have not been used yet. Hence the word predictive.
Culpability in Predictability
Hackers and their methods are also largely repetitive and predictable. When it comes to establishing an online operation, just like many sys admins, hackers tend to stick to what works, and take the shortest route to getting the job done. Given that an attack may be blocked or shut down at any time, they often set up their infrastructure and malicious payloads in advance, so they’re ready to use anytime. It’s this repetitive and predictive behavior, and OpenDNS’s unique view of the Internet that make the Predictive IP Space Monitoring model so effective.