SAN JUAN, Puerto Rico – Dan Hubbard has lately been a regular face at a lot of big data meet-ups. He’s also often been the lone security face at these meet-ups, which are dominated by analytics, search, social media and advertising professionals. That may change soon for the CTO of DNS and security service provider OpenDNS, who announced today at the Kaspersky Security Analyst Summit that security researchers will have free access to a new tool called Umbrella Security Graph.
Umbrella Security Graph is a predictive cloud-based tool that researchers may use to discover details about new attacks, including first-and last-seen instances, attack sources, attack duration times, geographies and more based on data acquired by OpenDNS’ collection of 45 billion DNS queries. A private beta launches March 1, and researchers are invited to use the tool for forensics, threat analysis and more.
Umbrella Security Graph got one of its first real-world runs during the investigation by Kaspersky Labs into the Red October espionage campaign. Kaspersky and OpenDNS had collaborated on research into the Flame malware previously, and joined forces again on Red October. The tool was used to determine attack attributes and locations associated with Red October, as well as identifying domains associated with the campaign.
“When Red October came out, I worked with a bunch of their researchers on what telemetry we had and started connecting the dots on clients, and which were infected and what information we knew about the hosting locations,” Hubbard said.
Umbrella Security Graph helped Kaspersky find a number of infected clients, which unlike previous nation-state espionage campaigns of this ilk, were not hosted on the attackers own servers. The tool found that some of the domains launching Red October attacks were set up on servers hosting PayPal phishing scams, rogue antivirus scareware malware, banking Trojans and other malicious content.
Red October was carried out for up to five years before it was discovered and ultimately reported in January. The campaign targeted Eastern European diplomats, government employees and scientific research organizations, stealing data from infected machines, as well as spreading to other machines. The attackers used three Windows and Office exploits as well as a Java exploit to attack its targets and gather classified information and geopolitical information, Kaspersky said.
Hubbard said the tool was also used to uncover an attack spreading a SSH backdoor on Linux machines, as well as use of domain generation algorithms (DGA) in banking attacks.
“This is definitely the first application of big data to security that’s been exposed or released,” Hubbard said. “In security, you can apply a lot of the same technologies used in social media, search and advertising in different ways. It’s been great for us.”
Once researchers have access to Umbrella Security Graph, they will be able to query the tens of billions of DNS requests collected by OpenDNS across 50 million distributed users. The tool returns attack data that can be used to find additional host names, domains, network IP addresses connected to a particular attack on the domain in question. The system evaluates attack attributes and features and returns a score indicating the likelihood a return is malicious. Hubbard said the Umbrella Security Graph backend is built on a mix of analytics tools including Hadoop, Apache Pig, Apache HBase and Storm.
“We’ve been exposing data on a request basis and have had tremendous response,” Hubbard said, adding that a visualization feature is coming in future releases that will help with analysis of attack data. “The visualization release will blow people away. Security has not done a good job with visualization. It’s hard to do.”