The Namecoin and Emercoin blockchains were designed to provide decentralized and takedown-resistant domain names to users with the reported goal of promoting free speech. By leveraging unofficial Top-Level Domains (TLDs) such as .bit and alternate DNS resolution methods such as the OpenNIC project, users can register and configure their own domains on these blockchains at a relatively cheap price.

In recent years, cybercriminals have adopted and abused this infrastructure and implemented it into well-known malware such as Dimnie, Smoke Loader, and Necurs as well as larger, more targeted workflows. The resiliency of blockchain techology prevents researchers and ISPs from taking down or sinkholing these domains. In addition, limited public knowledge of this threat in a larger context and the constraint of alternative DNS resolution mitigates an analyst's ability to map out related domains and IP addresses when malicious activity is identified. 

On the other hand, blockchain-based infrastructure comes with a serious drawback: data added to or removed from these blockchains becomes a permanent record of a threat actor's activity. This talk is intended to leverage this attribute to tackle these issues, providing high and medium-confidence methodologies for mapping out these blockchains through TTP analysis, script-based transaction mapping, and index-based infrastructure correlation. In doing so, analysts will be able to generate additional intelligence surrounding a threat and proactively identify likely malicious domains as they are registered or become active on the blockchain.

Speaker

Kevin Perlow

Kevin Perlow is a reverse engineer and lead technical analyst supporting cyber threat intelligence at a private sector company. His past work includes reverse engineering, threat hunting, and digital forensics services at Booz Allen Hamilton in support of commercial and government clients. Kevin's independent research is focused on correlating and clustering malicious blockchain transactions.

Detailed Presentation:

(Source: Black Hat USA 2018, Las Vegas)

8669820464?profile=original

 

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform