\item D4 Project (co-funded under INEA CEF EU program) started - \textbf{1st November 2018}
\item D4 encapsulation protocol version 1 published - \textbf{1st December 2018}
\item v0.1 release of the D4 core\footnote{\url{https://www.github.com/D4-project/d4-core}} including a server and simple D4 C client - \textbf{21st January 2019}
\item First version of a golang D4 client\footnote{\url{https://www.github.com/D4-project/d4-goclient/}} running on ARM, MIPS, PPC and x86 - \textbf{January 2019}
D4 header includes an easy way to {\bf extend the protocol} (via type 2) without altering the format. Within a D4 session, the initial D4 packet(s) type 2 defines
the custom headers and then the following packets with type 254 is the custom data encapsulated.
\item D4 core server\footnote{\url{https://github.com/D4-project/d4-core}} is a complete server to handle clients (sensors) including the decapsulation of the D4 protocol, control of sensor registrations, management of decoding protocols and dispatching to adequate decoders/analysers.
\item D4 server is written in Python 3.6 and runs on standard GNU/Linux distribution.
\item CIRCL (and other CSIRTs) have their own passive DNS\footnote{\url{https://www.circl.lu/services/passive-dns/}} collection mechanisms
\item Current {\bf collection models} are affected with DoH\footnote{DNS over HTTPS} and centralised DNS services
\item DNS answers collection is a tedious process
\item{\bf Sharing Passive DNS stream} between organisation is challenging due to privacy
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Potential Strategy}
\begin{itemize}
\item Improve {\bf Passive DNS collection diversity} by being closer to the source and limit impact of DoH (e.g. at the OS resolver level)
\item Increasing diversity and {\bf mixing models} before sharing/storing Passive DNS records
\item Simplify process and tools to install for {\bf Passive DNS collection by relying on D4 sensors} instead of custom mechanisms
\item Provide a distributed infrastructure for mixing streams and filtering out the sharing to the validated partners
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{First release}
\begin{itemize}
\item[\checkmark]
analyzer-d4-passivedns\footnote{\url{https://github.com/D4-project/analyzer-d4-passivedns}}, an analyzer for a D4 network sensor:
\begin{itemize}
\item{\bf processes} data produced by D4 sensors (in passivedns CSV format\footnote{\url{https://github.com/gamelinux/passivedns}}),
\item{\bf ingests} these into a {\bf Passive DNS server} which can be queried later to search for the Passive DNS records,
\item{\bf provides} a lookup server (using on
redis-compatible backend) that is a Passive DNS REST server compliant to the Common Output Format\footnote{\url{https://tools.ietf.org/html/draft-dulaunoy-dnsop-passive-dns-cof-04}}.
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}[t]{Common Output Format}
\begin{itemize}
\item{\bf Consistent naming of fields across Passive DNS software} based on the most common Passive DNS implementations
\item Minimal set of fields to be supported
\item Minimal set of optional fields to be supported
\item Way to add "additional" fields via a simple registry mechanism (IANA-like)
\item Simple and easily parsable format
\item A gentle reminder regarding privacy aspects of Passive DNS
\item\textbf{rrname} : name of the queried resource records
\begin{itemize}
\item JSON String
\end{itemize}
\item\textbf{rrtype} : resource record type
\begin{itemize}
\item JSON String (interpreted type of resource type if known)
\end{itemize}
\item\textbf{rdata} : resource records of the query(ied) resource(s)
\begin{itemize}
\item JSON String or an array of string if more than one unique triple
\end{itemize}
\item\textbf{time\_first} : first time that the resource record triple (rrname, rrtype, rdata) was seen
\item\textbf{time\_last} : last time that the resource record triple (rrname, rrtype, rdata) was seen
\begin{itemize}
\item JSON Number (epoch value) UTC TZ
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}[t]{Optional fields}
\begin{itemize}
\item\textbf{count} : how many authoritative DNS answers were received by the Passive DNS collector
\begin{itemize}
\item JSON Number
\end{itemize}
\item\textbf{bailiwick} : closest enclosing zone delegated to a nameserver served in the zone of the resource records
\begin{itemize}
\item JSON String
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}[t]{Additionals fields}
\begin{itemize}
\item\textbf{sensor\_id} : Passive DNS sensor information
\begin{itemize}
\item JSON String
\end{itemize}
\item\textbf{zone\_time\_first} : specific first/last time seen when imported from a master file
\item\textbf{zone\_time\_last}
\begin{itemize}
\item JSON Number
\end{itemize}
\item Additional fields can be requested via \url{https://github.com/adulau/pdns-qof/wiki/Additional-Fields}
\end{itemize}
\end{frame}
\begin{frame}
\begin{center}
{\bf Passive SSL revamping}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Objectives - TLS Fingerprinting}
{\bf Keep} a log of links between:
\begin{itemize}
\item x509 certificates,
\item ports,
\item IP address,
\item client (ja3),
\item server (ja3s),
\end{itemize}
\begin{displayquote}
``JA3 is a method for creating SSL/TLS client fingerprints that should be easy to produce on any platform and can be easily shared for threat intelligence.''\footnote{https://github.com/salesforce/ja3}
\end{displayquote}
{\bf Pivot} on additional data points during Incident Response
\end{frame}
\begin{frame}
\frametitle{Objectives - Mind your Ps and Qs}
{\bf Collect} and {\bf store} x509 certificates and TLS sessions:
\begin{itemize}
\item Public keys type and size,
\item moduli and exponents,
\item curves parameters.
\end{itemize}
{\bf Detect} anti patterns in crypto:
\begin{itemize}
\item Shared Public Keys,
\item Moduli that share one prime factor,
\item Moduli that share both prime factor,
\item Small factors,
\item Nonces reuse / common preffix or suffix, etc.
\item{\bf Sensitive information sanitization} by specialized analyzers
\item{\bf Previewing datasets} collected in D4 sensor network and providing {\bf open data stream} (if contributor agrees to share under specific conditions)
\item{\bf Leverage MISP sharing communities} to augment Threat
Intelligence, and provide accurate metrology.
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Use it}
\begin{itemize}
\item{\bf Create} sensors easily with the generator \footnote{\url{https://github.com/d4-project/d4-sensor-generator}},
\item{\bf Manage} your own sensors and servers, {\bf find} shameful bugs and
{\bf fill} in github issues
\item Even better, {\bf send} Pull Requests!
\item{\bf Share} data to public servers to improve the datasets (and detection,
response, etc.)
\item{\bf Feed} your MISP instances with D4's findings - {\bf Share} yours
\item{\bf Leech} data, {\bf write} your own analyzers, {\bf do} research