Threat Hunting, Threat Management, Risk Identification/Classification/Mitigation

Tech Segment: Kyle Wilhoit, DomainTools – Paul’s Security Weekly #528

Kyle Wilhoit is a Senior Security Researcher at DomainTools; he focuses on research DNS-related exploits, investigate current cyber threats, and exploration of attack origins and threat actors. Kyle joins us to discuss the merit and concept of pivoting off domain information!

Discuss the concept and merit of pivoting off domain information

  • Why pivot off domain names/URLs?
  • Pivot off registrant information
  • Pivot off Nameservers, Google Analytics IDs, Alexa codes, etc.

Case Study #1

  • Use www[.]caihongtangddos[.]cn as first pivot point within DomainTools Iris (This was a published DDoS platform from Cisco Talos from Aug 15th)
  • Pivot off contact name (梁甲福)
  • Pivot off [email protected]
  • Show additional DDOS infrastructure

Case Study #2

  • This case study is related to the ransomware Teslacrypt.
  • First, start ApateDNS on analysis machine
  • Execute sample and watch communications to
  • Pivot on in DomainTools Iris (off of Contact Name Kyriakos Kyriako)
  • Generate CSV file
  • Mention blocking or monitoring the other domains that show up proactively, as they are likely related infrastructure.
  • Take and pivot in Virustotal Intelligence looking for additional samples
  • Talk about proactively blocking hashes/, etc.
Full Show Notes Subscribe to YouTube Channel [audio src=""]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.