Even the bad guys use DNS to find their command and control servers on the Internet and this creates an important threat hunting opportunity you don’t want to neglect.
In previous webinars we’ve discussed indicators that a given domain name is malicious. There’s a lot more involved than just looking at the domain name itself to see if it looks like the product of a DGA (Domain name Generation Algorithm). How old is the domain? Who’s the registrant? Even the registrar can provide important hints. Is the zone file for the domain suspiciously skinny or does it contain the records you expect for a real domain?
In this webinar we will explore how to leverage domain name risk score analysis to surface indicators of compromise that are truly worth investigating. The goal is to cast as wide a net as possible while also automating as much as possible.
This type of threat hunting starts with automating domain name risk score analysis. Some with sufficient resources and requirements do this in-house but for most organizations it’s more appropriate to subscribe to a service that does this for you. Next, we need to feed our domain name risk analyzer with as many of the domains showing up in our network as we can. It’s also important that we identify all the sources of domain names available in your network:
- Web proxies
- Next gen firewalls
- DNS servers
- Emails
- Sender domains
- URLs within body of email
You must progressively integrate these domain name sources into your risk analysis process. Except for email bodies, all of the domain name sources above can be gleaned from logs, so your log management or SIEM is usually the best place for the integration. We’ll demonstrate collecting various logs in Splunk and comparing the domain names in those logs against the Domain Risk Score technology from DomainTools.
In this real training for free event, I will compare the different logs and other sources of domain names available in your network with regard to how to obtain the information, what format it comes in and how to integrate. Taylor Wilkes-Pierce from DomainTools will show you how they analyze a domain name to compute it's risk score. There’s a tremendous amount of information to consider – some of which requires sophisticated technology to obtain. Here’s a couple examples:
- To assess the completeness of a domain you need to see its zone file. But zone files aren’t usually available for the public to download. DomainTools leverages something called passive DNS to build out nearly complete zone files for every domain out there.
- Many new domains have no other indicator of maliciousness except for being new, but if you have the Internet’s entire Domain Name System dataset at hand, including history, you can tease out connections of new domains to related older domains known to be malicious.
Once your automated system identifies a “domain of interest” what do you do with it? We’ll explore that decision. Here’s some possibilities:
- Populate a threat-hunting dashboard showing indicators of compromise
- In terms of UEBA, you would increase the current risk score of whichever endpoints and user accounts are associated with a domain name allowing you to factor in this IOC with others to identify the entities most likely to be involved with a compromise
- Identify the email and sender as likely phishing attack and make sure users don’t fall for related messages and block further messages
Please join me for this real training for free event!