Kyle Wilhoit is a Senior Security Researcher at DomainTools; he focuses on research DNS-related exploits, investigate current cyber threats, and exploration of attack origins and threat actors. Kyle joins us to discuss the merit and concept of pivoting off domain information!
Discuss the concept and merit of pivoting off domain information
- Why pivot off domain names/URLs?
- Pivot off registrant information
- Pivot off Nameservers, Google Analytics IDs, Alexa codes, etc.
Case Study #1
- Use www[.]caihongtangddos[.]cn as first pivot point within DomainTools Iris (This was a published DDoS platform from Cisco Talos from Aug 15th)
- Pivot off contact name (梁甲福)
- Pivot off firstname.lastname@example.org
- Show additional DDOS infrastructure
Case Study #2
- This case study is related to the ransomware Teslacrypt.
- First, start ApateDNS on analysis machine
- Execute sample and watch communications to free-stuff-here.netne.net
- Pivot on free-stuff-here.netne.net in DomainTools Iris (off of Contact Name Kyriakos Kyriako)
- Generate CSV file
- Mention blocking or monitoring the other domains that show up proactively, as they are likely related infrastructure.
- Take comli.com and pivot in Virustotal Intelligence looking for additional samples
- Talk about proactively blocking hashes/comli.com, etc.