Black Hat 2024: DNS and the Trail of Breadcrumbs Leading Back to Attackers

DNS once again proves why it's such a great vehicle for exposing the activities of attackers and domain name thieves, according to Dr. Renée Burton, VP of Infoblox Threat Intel. She joins Dark Reading's Terry Sweeney at News Desk during Black Hat USA to discuss how Infoblox identified two bad actors and the tactics they used for digital hijacking and other online malfeasance. And while the company's DNS monitoring capabilities are world-class, Burton also credits Infoblox's threat intelligence research division for mining all that DNS data to identify threat actors and the anomalies that betray them.

In one of the cases she recounts for News Desk, Burton talks about how they used DNS data to look at a series of domain name thefts. What initially looked like a series of thefts by unrelated actors turned out to be a single party: Sitting Ducks.

According to Burton, Sitting Ducks is a gang of Russian cyber criminals who found a gap in DNS's administration logic. She explains that organizations have a DNS provider, possibly their web hosting provider; they may also use a separate DNS service. "There's a gap between those these two things and you forget about the domain and the actor just comes in and says, 'I'll take that'," she says. "And they use them for a little while and then they drop them back down again. So they've created this kind of lending library."

Burton discusses another case, Vigorish Viper, an organized crime reference to exorbitant fees that may be due. And the Chinese crime gang behind Vigorish Viper has used its own DNS infrastructure to engage in money laundering and human trafficking. Click on the video to get the full story.

Dr. Renée Burton is the VP of threat intel for Infoblox. She is a subject matter expert in DNS-based threats and leads the algorithm development and research in DNS intelligence. With over 20 years of experience at the NSA before joining Infoblox, she shaped Infoblox threat intel to be the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators.