Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mapping Out Cyber Crime Infrastructure A Law Enforcement Approach Jon Flaherty UK National Cyber Crime Unit 13 th May 2015 RIPE 70 - Amsterdam.

Published byChloe Garrett Modified over 9 years ago

Similar presentations

Presentation on theme: "Mapping Out Cyber Crime Infrastructure A Law Enforcement Approach Jon Flaherty UK National Cyber Crime Unit 13 th May 2015 RIPE 70 - Amsterdam."— Presentation transcript:

1 Mapping Out Cyber Crime Infrastructure A Law Enforcement Approach Jon Flaherty UK National Cyber Crime Unit 13 th May 2015 RIPE 70 - Amsterdam

2 Cyber Crime Infrastructure “A Disposal Front End With A Static Stable Back End” Compromised and malicious domains hosting exploits Local log file tracing network intrusions / drops Leads to a common static and more stable IP infrastructure RIPE NCC members caught up in the middle of it ?

3 A New Approach “Targeting the Infra not the Incident” How does LE begin to map it ? Can we disrupt it ? Need for collaboration with RIPE community and service providers

4 TEST CASE AIM Attribute a suspect ISP and reseller infrastructure to “Bullet Proof Hosting” activity OBJECTIVES Design an ISP mapping strategy that visualises target infrastructure to enhance attribution and operational strategy

5 Mapping Strategy A 4 Stage Methodology Stage 1 : Collation of intelligence Stage 2 : IPv4 Network WHOIS research Stage 3 : Mapping IPv4 to DNS enrichment Stage 4 : Visualisation

6 Stage 1 - Collation of Intelligence What do we know so far ? Hosting provider and suspects located in one country Operating under alias names Single strand IPv4 intelligence linked to lots of cyber crime

7 Stage 2 – IPv4 Network WHOIS Research Mapping single strand intelligence across the WHOIS Find ISP & Reseller full IPv4 address ranges Dates of IP assignment Identify ASN / upstream providers who announce IP routes

8 Stage 2 Now what do we know ? Additional Hosting / Reseller IPv4 space Consistent hosting providers of reseller space Multiple RIPE NCC members announce target IP traffic Static IP infrastructure, small, consistent /27 IP address ranges RIPE WHOIS reveals more provider alias names and handles Small ARIN infrastructure

9 Stage 3 – Mapping IPv4 space to DNS Enrichment What domain traffic and types of service point to these ranges ? Web, Mail, Name, VPN Servers Number of sites hosted Historic domains Bad Traffic Data Enrichment – Abuse feeds

10 Stage 3 Now what do we know ? Target ISP ranges show legitimate web traffic UK reseller ranges carry known malicious traffic UK hosted GOZ and DGA activity across.eu ccTLD’s –.991ce.34691a9.832.1c.1736.ced.87.4050.xxxxxx.xxxxx.eu GOZ privacy protected domains with a common registrar VPN end point servers and VPN over DNS traffic –ln-037.rd-00004080.id-4934215.v0.tun.vpnoverdns.com Beginning to see the bad from the good….

11 Stage 4 – Visualisation Charting the infrastructure Bulk domain WHOIS lookups Geo locating IP ranges and records Colour coded clusters Layering ownership Pattern matching

12 AIM Attribute a suspect ISP and reseller infrastructure to “Bullet Proof Hosting” activity OBJECTIVES Design an ISP mapping strategy that visualises target infrastructure to enhance attribution and operational strategy

13 BPH Picture Clean Front v Malicious Reseller End Ranges Diversified infra of PVS hosted content and VPN end points Reseller architecture across more than one member / country Small IP blocks / multiple RIPE Database handles An attraction to cheap virtual hosting / IXP ASN commonalities / sponsoring org’s for IP ranges Use of RIPE NCC tools gives LE more routes to best evidence……

14 Can We Disrupt The Abuse ? Need For Collaboration - Mitigation@Scale Mapping infrastructure identifies abuse at greater scale LE migrating into proactive CERT prevention / outreach to Industry IP reseller intelligence mapped and shared to members PDNS entries notified as an ISP abuse issue / feed to Industry Malicious IP ranges become Spamhaus blacklist entries Privacy/Proxy abuse becomes an ICANN compliance submission

15 Questions jonathan.flaherty@nca.x.gsi.gov.uk

Download ppt "Mapping Out Cyber Crime Infrastructure A Law Enforcement Approach Jon Flaherty UK National Cyber Crime Unit 13 th May 2015 RIPE 70 - Amsterdam."

Similar presentations

Module II Footprinting

Module II Footprinting
Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association.

Who cares about abuse? Rodney Tillotson, JANET-CERT APNIC, August 2001 United Kingdom Education & Research Networking Association.
Module 13: Implementing ISA Server 2004 Enterprise Edition: Site-to-Site VPN Scenario.

Module 13: Implementing ISA Server 2004 Enterprise Edition: Site-to-Site VPN Scenario.
Internet Basics The Internet Is… – a network of networks – a community of people, businesses, schools and organizations – E-mail, web pages, databases,

Internet Basics The Internet Is… – a network of networks – a community of people, businesses, schools and organizations – , web pages, databases,
Managing IP addresses for your private clouds 2013 ASEAN CAS Summit Bangkok, Thailand 7 February 2013 George Kuo Member Services Manager.

Managing IP addresses for your private clouds 2013 ASEAN CAS Summit Bangkok, Thailand 7 February 2013 George Kuo Member Services Manager.
IPv4 Run Out and Transitioning to IPv6 Marco Hogewoning Trainer, RIPE NCC.

IPv4 Run Out and Transitioning to IPv6 Marco Hogewoning Trainer, RIPE NCC.
NetScanTools ® LE Law Enforcement Version of NetScanTools ® from Northwest Performance Software, Inc. netscantools.com.

NetScanTools ® LE Law Enforcement Version of NetScanTools ® from Northwest Performance Software, Inc. netscantools.com.
December 2013 Internet Number Resource Report. December 2013 Internet Number Resource Report INTERNET NUMBER RESOURCE STATUS REPORT As of 31 December.

December 2013 Internet Number Resource Report. December 2013 Internet Number Resource Report INTERNET NUMBER RESOURCE STATUS REPORT As of 31 December.
March 2014 Internet Number Resource Report. March 2014 Internet Number Resource Report INTERNET NUMBER RESOURCE STATUS REPORT As of 31 March 2014 Prepared.

March 2014 Internet Number Resource Report. March 2014 Internet Number Resource Report INTERNET NUMBER RESOURCE STATUS REPORT As of 31 March 2014 Prepared.
Handling Internet Network Abuse Reports at APNIC 21 October 2010 LAP-CNSA Workshop, Melbourne George Kuo.

Handling Internet Network Abuse Reports at APNIC 21 October 2010 LAP-CNSA Workshop, Melbourne George Kuo.
Addressing spam email and enforcing a Do Not Email Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.

Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.
Copyright 2012 Trend Micro Inc. Raimund Genes, CTO Innovation In Cloud Security.

Copyright 2012 Trend Micro Inc. Raimund Genes, CTO Innovation In Cloud Security.
Canadian*- US Law Enforcement Internet Governance Cooperative Efforts April 19, 2010 Marc Moreau Royal Canadian Mounted Police Robert Flaim Federal Bureau.

Canadian*- US Law Enforcement Internet Governance Cooperative Efforts April 19, 2010 Marc Moreau Royal Canadian Mounted Police Robert Flaim Federal Bureau.
CSC586 Network Forensics IP Tracing/Domain Name Tracing.

CSC586 Network Forensics IP Tracing/Domain Name Tracing.
1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.

1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
Authors: Thomas Ristenpart, et at.

Authors: Thomas Ristenpart, et at.
Internet Operations and the RIRs. Overview ARIN and the Regional Internet Registry (RIR) System IP Number Resources, DNS and Routing IP Address Management.

Internet Operations and the RIRs. Overview ARIN and the Regional Internet Registry (RIR) System IP Number Resources, DNS and Routing IP Address Management.
IP Address Management The RIR System & IP policy

IP Address Management The RIR System & IP policy
Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.

Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.

Similar presentations

Ads by Google