Politically targeted DNS in 2016 and 2020

Friday 4 October 11:00 - 11:30, Red room

David Rodriguez (Cisco Umbrella)
John Cunniff (Cisco Umbrella)
Andrea Kaiser (Cisco Umbrella)
Dhia Mahjoub (Cisco Umbrella)

Disinformation campaigns are the latest form of cyber-warfare. They involve nation states and foreign actors using massive online delivery mechanisms such as social media sites to distribute subversive or influential political content to millions of citizens. At the same time, smaller campaigns identify political headlines and twist them to lure individuals to click on links and advertisements.

While much has been discussed about the negligence of social media sites in their efforts to prevent the spread of misinformation, there has not been a comprehensive study of the weaponization of domain names, in DNS, related to political events. There is no more clarity today than in 2016 as to the breadth of keywords or top-level domains (TLDs) and hosting infrastructure used to orchestrate misinformation campaigns, click-bait, and other dubious activities.

Using Cisco Umbrella’s global visibility in DNS we’ll analyse three months leading up to the 2016 elections in the US, identifying domains based on political keywords, unearthing infrastructure spanning the globe from telecom companies and content delivery networks (CDNs) in the US to Russia. While the Democratic Primaries begin to ramp up for the 2020 election cycle, we’ll report on the latest domains and infrastructures seen today. How many US politically motivated domains are hosted in Eastern European countries? What infrastructure has evolved since the 2016 US elections? Come and find out.

 Related links



David Rodriguez

David is tech lead on engineering and data science initiatives for Cisco Umbrella research focusing on large-scale cybersecurity threat detection. He has authored multiple patents with Cisco identifying malicious network traffic using deep learning and behavioural analytics. He is known for his open-source work on projects such as Rainier, a probabilistic programming framework, and speaking about machine learning and big data technologies in cybersecurity at conferences like Black Hat, O'Reilly Strata, Flink Forward, Flocon, Virus Bulletin, and HitBSEC.



John Cunniff

John Cunniff is an aspiring security expert that currently attends NYU’s Tandon School of Engineering for Computer Science. He is a member of the OSIRIS cybersecurity lab and NYU’s CTF (capture the flag) team NYUSEC where he specializes in web challenges. John has worked at Cisco Umbrella since mid-2019 as a software engineer on the Applied Research team. At Cisco, John has specialized in engineering tools and mechanisms that have empowered the team to be industry leaders in DNS security.



Andrea Kaiser

Andrea began her career in infrastructure support and worked as a sysadmin for 12 years. Security has always been her passion. She began working with OpenDNS in 2015 as a security researcher. OpenDNS transitioned to be Cisco Umbrella, and has grown to have 175 billion Internet requests a day, allowing a great view for the security research teams. Andrea now manages the Security Research Analysts team. The analysts work to identify malicious requests coming from attacker or compromised infrastructure related to cybercriminal activities. Andrea has presented at BSides Las Vegas, BSides Amsterdam, DeepSec, and SANS Threat Hunting and Incident Response Summit. Her presentations have been about botnet communications, and how to gather IOCs related to malicious activity through threat hunting.



Dhia Mahjoub

Dr. Dhia Mahjoub is Head of Security Research at Cisco Umbrella. He works with his team on building large-scale threat detection and threat intelligence systems, driving new product features and supporting major business deals in the US, Europe, and APAC. He has 15+ years experience in network security, has authored patents with OpenDNS and holds a Ph.D. in graph data analysis. Dhia has been supporting law enforcement through his investigation of cybercrime and speaking about it at the Europol-INTERPOL Cybercrime Conference, the Dutch NCSC One Conference and the SANS CTI Summit. He has given keynotes at KPMG and Orange security events and is a frequent speaker at conferences worldwide including Black Hat, Defcon, Virus Bulletin, RSA, FS-ISAC and FIRST. He’s also on the program committee of Botconf and the ACM DTRAP journal.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.