Black Hat 2024: DNS and the Trail of Breadcrumbs Leading Back to Attackers

Dr. Renée Burton, VP of Infoblox Threat Intel, joins Dark Reading's Terry Sweeney at News Desk during Black Hat USA to discuss catching attackers who left fingerprints all over the DNS infrastructure.

Terry Sweeney, Contributing Editor

August 14, 2024

9 Min View
Dark Reading

DNS once again proves why it's such a great vehicle for exposing the activities of attackers and domain name thieves, according to Dr. Renée Burton, VP of Infoblox Threat Intel. She joins Dark Reading's Terry Sweeney at News Desk during Black Hat USA to discuss how Infoblox identified two bad actors and the tactics they used for digital hijacking and other online malfeasance. And while the company's DNS monitoring capabilities are world-class, Burton also credits Infoblox's threat intelligence research division for mining all that DNS data to identify threat actors and the anomalies that betray them.

In one of the cases she recounts for News Desk, Burton talks about how they used DNS data to look at a series of domain name thefts. What initially looked like a series of thefts by unrelated actors turned out to be a single party: Sitting Ducks.

According to Burton, Sitting Ducks is a gang of Russian cyber criminals who found a gap in DNS's administration logic. She explains that organizations have a DNS provider, possibly their web hosting provider; they may also use a separate DNS service. "There's a gap between those these two things and you forget about the domain and the actor just comes in and says, 'I'll take that'," she says. "And they use them for a little while and then they drop them back down again. So they've created this kind of lending library."

Burton discusses another case, Vigorish Viper, an organized crime reference to exorbitant fees that may be due. And the Chinese crime gang behind Vigorish Viper has used its own DNS infrastructure to engage in money laundering and human trafficking. Click on the video to get the full story.

Dr. Renée Burton is the VP of threat intel for Infoblox. She is a subject matter expert in DNS-based threats and leads the algorithm development and research in DNS intelligence. With over 20 years of experience at the NSA before joining Infoblox, she shaped Infoblox threat intel to be the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators.

About the Author

Terry Sweeney

Contributing Editor

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain's New York Business, Red Herring, Network World, InformationWeek and Mobile Sports Report.

In addition to information security, Sweeney has written extensively about cloud computing, wireless technologies, storage networking, and analytics. After watching successive waves of technological advancement, he still prefers to chronicle the actual application of these breakthroughs by businesses and public sector organizations.


Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights