Wes Connell – Building a Predictive Pipeline to Rapidly Detect Phishing Domains
Registering a new domain, obtaining a legitimate SSL certificate, and deploying it on a web server got much cheaper for threat actors thanks to free SSL services like Let’s Encrypt. Detecting new phishing domains has always been a reactive process for security teams; just like malware, one cannot provide threat intelligence on phishing domains before they’re registered and operationalized.
The development of the Certificate Transparency log network adds an interesting dimension for how this process can be improved. SSL certificates, and the domains for which they are issued to, can now be monitored in real-time… and security analysts already have intuition on what phishing domains look like when they see them. Building a predictive pipeline to detect SSL certificates issued to new phishing domains can be reasonably accomplished using supervised machine learning. In this talk, I’ll introduce a Python-based framework for building this predictive pipeline from scratch.