Techniques to find malicious activity based on analysis of DNS resolver logs
As one of the fundamental protocols of the Internet, DNS is involved in nearly every traffic flow into or out of an enterprise environment. Despite its ubiquity, however, DNS is not always recognized for the forensic potential it holds. By capturing and analyzing DNS requests and replies from the local network, security teams can then enrich those events with external, threat-oriented DNS data to help with triage and risk assessment.
But the possibilities extend well beyond simply assessing the risk of individual traffic flows. Since hostile domains are almost always part of a larger campaign, any DNS activity related to one domain can represent the leading edge of a process that can lead to insights into, and protection from, these larger campaigns. Consider:
- A connection from the protected environment to a hostile or suspicious domain can be decorated with DNS, Whois, risk scoring, and other enriching data
- Within those datapoints, connections can be found to other domains or IP addresses
- Analysis of the connected infrastructure can guide analysts toward enumeration of hostile campaign assets
Armed with this information, threat hunters, incident responders, and other SOC personnel can take specific responsive or proactive actions, including:
- Reviewing logs and events for additional connections from the protected environment to the larger set of adversary assets, which could have escaped earlier notice
- Devising detection or blocking rules to protect against the larger campaign
- Developing insights into adversary tactics, techniques, and procedures (TTPs)
- Monitoring further moves by the adversary based on known infrastructure patterns
None of these actions would be possible without a) awareness of domains requested by trusted hosts; and b) enrichment of those domains with DNS, Whois, and other such data.
In this live presentation, host Tim Helming will illustrate methods for identifying key sources of DNS data, and for enriching those logs or events with DomainTools APIs, UI-based tools, and third-party integrations, using recently-active threat infrastructure for demonstration.