CEO of Shreshta
"Threat actors have to rely on DNS, i.e domain names for various attacks such as phishing campaigns, ransomware and malware communication with a command and control center(C2). This talk will present the various common and unique methods that attackers use in the context of domain name abuse. I will also present a list of community resources as well as best practices to detect and prevent attacks using DNS. Our research starts by investigating the fundamental dependence of threat actors on DNS for executing a wide array of cyber-attacks. We examine the various ways in which DNS(domain name abuse) is being exploited, providing insights into understanding the thought processes of the threat actors. Whether it's the deceptive tactic of domain generation algorithms (DGAs), fast flux networks, or domain shadowing. We also share some familiar and novel tactics the threat actors use to improve the domain names' reputation before deploying them in phishing campaigns, malware comms, etc. To share a few, 1. Why is there a large volume of domain names pointing at 18.104.22.168(Google DNS) or 22.214.171.124(Cloudflare DNS) 2. Why should organisations closely monitor DNS traffic in their networks and explicitly pay attention to newly registered domain names? 3. Why monitoring your domain name zone (DNS records) is critical Understanding these tactics is the first step in a more proactive defense. Our comprehensive journey into DNS abuse would not be complete without addressing solutions. The presentation will introduce a broad spectrum of community resources and best practices to detect, prevent, and mitigate attacks orchestrated via DNS. This presentation aims to empower its attendees with a nuanced understanding of domain name abuse. By the end of this presentation, attendees should walk away with a multifaceted understanding of domain name abuse – from the methods employed by threat actors to the best practices and resources available for prevention and mitigation.
Swapneel Patnekar is the CEO of Shreshta, a threat intelligence company. He has more than +15 years experience in information security. He is an APNIC Community Trainer and has delivered workshops in Myanmar, Papua New Guinea, Bangladesh, Sri Lanka and Nepal. He is also a Forum of Incident Response and Security Teams (FIRST) DNS Abuse SIG member. He has also delivered technical workshops to Law Enforcement on countering cybercrime. He is a prolific speaker and frequently presents at security conferences.