Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

03:15 PM
Connect Directly

New Model Uses 'Malicious Language Of The Internet' To Find Threats Fast

OpenDNS's new NLPRank tool may identify malicious domains before they are even put to nefarious use.

While many in the security industry are pushing for better methods of assigning attribution for cyberattacks after the damage is done, there is also a growing effort to strengthen early-stage defenses -- to stop attacks before they have a chance to do much harm. OpenDNS has introduced a new tool to fit into that second category. NLPRank is an advanced threat detection model that uses the "malicious language of the Internet," to identify suspicious domains almost as soon as they're registered.

"Only recently have we been able to prove just how valuable [NLPRank] is," says OpenDNS director of security research Andrew Hay. Now, Hay says, the threat model has proven able to sniff out attack campaigns "long before" indicators of compromise or attribution theories are publicly released.

OpenDNS security researcher Jeremiah O’Connor first got the idea for NLPRank in November, after Kaspersky Labs revealed details about the DarkHotel campaign. O'Connor realized that the DarkHotel attackers and the APT1 hacking group -- detailed by Mandiant in 2013 -- follow the same basic patterns when choosing the domain names they use in phishing campaigns.

"The way that attackers 'sell' a spear-phishing attack is by spoofing a domain so that it looks like it comes from a legitimate company,” O’Connor said in an OpenDNS blog post today. "After running detailed analytics on the data from these types of campaigns, I found that these domain names were predictable."

Using DarkHotel and APT1 as test cases, O'Connor found that some common English words show up a lot --  those popular phishermen calls-to-action like "update," "install," and "download." Coupled with those are other common parts of legitimate domain names, like "java," "gmail," or "adobe." NLPRank begins by cross-referencing those terms they've identified as part of the "malicious language of the Internet" lexicon.

Then, as the blog explains, NLPRank "uses alignment techniques from computational biology to grade permutations of these domain names, like 'installad0be,' and then judge the likelihood they will be used in spear phishing."

When one of those likely domain names shows up in OpenDNS's scans of DNS records, NLPRank checks out some other information to see if their suspicions are well-founded. For example, they check the WHOIS information to see if the registrar used by the suspect domain is the same as the parent company. They check the HTML to see if outbound links are heading to suspicious locations and to look for other subtle differences.

Hay explains that when attackers first register a domain, they usually test it several times before putting it to any meaningful malicious use. "We can see that initial bump in the wire," says Hay, "and then we can block it before it becomes a full-blown campaign."

They've already started applying NLPRank to that task. Last month they used it to discover a PayPal phishing campaign. Plus, when they had a look at Kaspersky Lab's data on the impressively sophisticated Carbanak banking crime ring, they saw that NLPRank had flagged the Carbanak command-and-control domains weeks earlier. 

Hay says they're "not quite ready" to put NLPRank into production. They want to wait until further testing proves the tool doesn't produce too many false positives. After that, they may consider expanding the lexicon to include terms that are popular in the most heavily targeted industries (like finance). However, Hay says they couldn't go too crazy with that effort lest they turn the whole exercise into "looking for a needle in a pile of needles."

OpenDNS has expanded its research team recently. Hay says to expect more innovations like NLPRank to come soon. 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
3/24/2015 | 11:14:37 AM
Re: useful but
Sadly, DNSSEC isn't really the answer until more organizations support it.  And it's not something you can force on people, or declare by fiat.
User Rank: Apprentice
3/7/2015 | 1:03:04 AM
Re: useful but
Its just as easy to register for an EIN. why not enforce dnssec at root DNS servers, protect before they are unleashed and block if they violate policies?
User Rank: Apprentice
3/7/2015 | 12:55:21 AM
infoblox has already done this
Infoblox introduced their DNS firewall well over a year ago, it does the same thing and is trusted by our government. Is this really a revelation or just another me too product from the competition?
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
3/5/2015 | 4:02:36 PM
useful but
Why isn't there more effort to make domains more expensive and harder to register? The domain registration industry could make things much more secure.
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-19
Apache Guacamole 1.2.0 and earlier do not consistently restrict access to connection history based on user visibility. If multiple users share access to the same connection, those users may be able to see which other users have accessed that connection, as well as the IP addresses from which that co...
PUBLISHED: 2021-01-19
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, a client-side control vulnerability in the insulin pump and its AnyDana-i and AnyDana-A mobile applications allows physically proximate attackers to bypass user authentication checks via Bluetooth Low Energy.
PUBLISHED: 2021-01-19
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, a client-side control vulnerability in the insulin pump and its AnyDana-i and AnyDana-A mobile applications allows physically proximate attackers to bypass checks for default PINs via Bluetooth Low Energy.
PUBLISHED: 2021-01-19
In SOOIL Developments Co., Ltd Diabecare RS, AnyDana-i and AnyDana-A, the communication protocol of the insulin pump and its AnyDana-i and AnyDana-A mobile applications lacks replay protection measures, which allows unauthenticated, physically proximate attackers to replay communication sequences vi...
PUBLISHED: 2021-01-19
The Stockdio Historical Chart plugin before 2.8.1 for WordPress is affected by Cross Site Scripting (XSS) via stockdio_chart_historical-wp.js in wp-content/plugins/stockdio-historical-chart/assets/ because the origin of a postMessage() event is not validated. The stockdio_eventer function listens fo...