Wednesday, October 7, 2015

Detecting and Preventing the Insider Threat

Today I had the privilege of presenting at the ND Infragard chapter meeting.  The topic of the day was "the insider threat."  Jeremy Strozer of's Software Engineering Institute at Carnegie Mellon University set up the afternoon talking about the insider threat.  I followed with a presentation on detecting and preventing the insider threat from a defender perspective.  The slides can be found on my SlideShare page.  A big thanks to everybody who came out to listen and asked questions!


Friday, September 25, 2015

DerbyCon 2015 Presentation

Today I had the privilege of presenting at DerbyCon 2015 in the stable talk track.  My talk, "Detecting Spear Phishing Attacks Using DNS", was based on a blog post from earlier this year.  The turnout was excellent, the room was packed, and I had a great audience.  If you were there, thank you!

The slides for the talk have been uploaded to SlideShare.  You can find them here: Detecting Spear Phishing Attacks using DNS.

I'll be giving this talk again in November at BSides Winnipeg.

Thursday, June 25, 2015

BSides MSP Presentations

Better late than never, I've got the presentations from BSides MSP uploaded.  These are updated versions of two previous presentations. As always, feel free to reach out with questions or comments.


You Will Be Breached

Is Your Data Literally Walking Out the Door?

Tuesday, May 12, 2015

You Will Be Breached

Today, I had the chance to talk incident response at the North Dakota IT Symposium, where I shared my presentation - You've Been Breached.  Are you Prepared?

Data breaches are inevitable.  The need for effective incident response programs exists in all sizes of organizations.  How well you recover from a breach depends on how prepared you are to respond.

This talk is an updated version of my previous talk - You Will Be Breached.  This presentation covers the basics of building an incident response program, including several slides of resources useful to helping build an incident response program in your organization.

You can download my slides from Slideshare.

I'll also be presenting this talk at BSidesMSP in June.  Come join us for two days of infosec learning and sharing!

Thursday, March 26, 2015

Implementing passive DNS monitoring to prevent phishing attacks

The idea of typosquatting - registering a domain name which mimics that of a valid web site - is not a new concept.  In fact, in the US, laws aimed at preventing typosquatting were introduced as far back as 1999. In the beginning, typosquatting was a way to voice a gripe with the intended target or to generate advertising revenue from mistyped domain names. Criminal organization tactics evolved to use typosquatting as a way to deliver malware to anyone who accidentally happened upon the page.

Recent high profile attacks against Anthem BCBS and Premera Blue Cross highlight the evolution of typosquatting from opportunistic attacks to targeted attacks on specifically targeted organizations. While Premera has been tight-lipped about the methods used to breach their network, more is known about the Anthem attack.  Analysis of both attacks by outside sources, however, point to the involvement of typosquatting attacks.

In the case of Anthem BCBS, formerly known as Wellpoint, a typosquatted domain we11point[.]com was registered in April of 2014. The Premera attack, which originally took place in May of 2014, appears to be associated with a typosquatted domain prennera[.]com. In both cases, to the casual observer, the typosquatted domains are nearly indistinguishable from their legitimate counterparts. It is known that we11point[.]com was used in a phishing attack targeted on Anthem employees in order to deliver malware which afforded the attackers a foothold in Anthem's network.  It is suspected that prennera[.]com was used for the similar purposes.

In an effort to protect my corporate network against these kinds of attacks, I looked for ways to detect typosquatted domains that might be used in targeted phishing attacks. Fortunately, I did not have to look far. Andrew Horton of Morningstar Security created URLCrazy to automatically generate various permutations of a given domain name using a number of different methods included character omission, character swapping, and homoglyphs, the kind used in the Anthem attack.

Using URLCrazy is straight forward, with easy to understand options including keyboard layout. Since possible typos are based on the keyboard layout being used, URLCrazy supports several keyboard layouts. Output can be sent to the screen or formatted as a CSV, with the option of saving the output to a file.

URLCrazy Usage
URLCrazy usage

In addition to generating typosquatting candidates, URLCrazy also checks whether those domains have already been registered. Below are two examples of the output generated for and Note that in the Wellpoint example, URLCrazy actually generated the same homoglyph used in the Anthem attack.

URLCrazy -
URLCrazy output for

URLCrazy - homoglyphs
Homoglyphs of

For my purposes, I wanted to be able to take a list of domains owned by the company and generate possible typos I could use as an early warning system for possible phishing attacks. I took the company domains and fed them to URLCrazy. I then performed a review of each domain that was already registered and classified them as either a valid site or a typosquatter and recorded these designations in a CSV. The typosquatted domains were then fed into our web proxy to prevent access to them in the event they are used in a phishing attack.

I wrote a simple python script which calls URLCrazy and compares the output against my CSV of identified domains. If a new typosquatted domain is registered, it will be detected and an alert will be generated and sent to the security analyst team for review. If the domain is indeed a typosquatted domain and not a legitimate website, the domain is again fed into our web proxy, blocking access. The CSV is then updated to include this new domain, ensuring we don't receive continued alerts.

My script, crazyParser, can be retrieved from my GitHub:

This approach can be classified as a passive, reactive approach. If reviews are performed on a frequent and regular basis, it will serve as an effective defense against possible typosquatting attacks. This approach approach does not provide protection against phishing campaigns against your customers using typosquatted domains, however.

In order to proactively protect your customers, it may be necessary to identify typosquatting candidates and purchase those domains. These domains can then be redirected to the legitimate target domain name. This approach can become costly for smaller organizations with many domain names, and can become an management nightmare. It is generally considered best practice to have domain expiry notifications sent to a group mailbox to prevent domain registrations from lapsing after key personnel leave your organization.

In the event a domain has been registered which appears to be an obvious attempt to capitalize on typos of your legitimate domain name, the Universal Domain-Name Dispute-Resolution Policy may provide some relief. The UDRP allows for domain name holders to petition for the transfer of typosquatted domains to their control under certain circumstances.

Most commercial web proxies provide a categorization for web sites. In may cases, a newly-registered domain name will not yet have been categorized by your proxy vendor. As a final course of action, you can block access to all uncategorized web sites. This may provide a window of protection against domains used in phishing attacks. Blocking access to uncategorized web sites is generally considered a good practice.

As targeted phishing attacks continue to rise as an effective attack vector, this kind of DNS reconnaissance can serve as a reactive early warning system and even be used proactively to defend against attacks.

As always, I hope you found this post useful and your feedback is always welcome!


Wednesday, March 18, 2015

Is your data literally walking out the door?

Yesterday, I had the privilege of presenting at the 2015 ND Cyber Security conference, held at North Dakota State University. This conference brought together more than 200 K-12 and higher education technology specialists as well as others interested in information security from around the region.

I discussed the basics of physical security as seen from an attacker's perspective. I realize this presentation doesn't cover lock picking, but there are plenty of resources out there that talk about lock picking.

The presentation is available on SlideShare: Is Your Data Literally Walking Out the Door

As always, feedback is welcome and appreciated!