DNS Threat Hunting: Exploiting Your Adversaries Dependence on Domain Names

Webinar Registration

Normally we think about bad guys exploiting our organization’s weaknesses but in this real training for free session we will turn the tables and explore how to exploit the fact that most adversaries rely on DNS to:

  • Send email
  • Deliver malicious payloads
  • Connect to C&C (Command & Control)
  • Exfiltrate data

For all of the above reasons and more, attackers need a locatable endpoint on the Internet. Attackers don’t like to use hard coded IP addresses because 1) bad guys frequently have to move to different systems 2) IP addresses stick out compared to domain names. 

Besides using IP addresses, attackers do use hijacked websites and cloud file sharing services but their availability to bad guys is transient since these get remedied. A few isolated attacks have relied on social media posts or hijacked systems but in general, there is a high reliance on domain names by attackers just like those of us in the legit world. 

So, let’s use that against them. There’s a lot of information about domain names and the infrastructure associated with them and the DNS records compromising the domain’s zone file. If you can obtain this information and know how to analyze it there are some pretty good indicators to help you zero in on malicious domains.

In this webinar, we will explore those indicators and examine 3 different threat hunting scenarios where you can use domain name threat indicators to make faster decisions and build repeatable workflows that save time and protect your users.

Some of the indicators include:

  • Domain name creation date
  • DNS server hosting infrastructure shared with other malicious domains
  • Name resolution revealing shared IP addresses with other malicious domains
  • Other hosting data such as country codes, registrars, etc.

In terms of threat hunting, we will discuss:

  • Value of DNS intelligence applied to logs at scale
  • Using SOAR to enrich SIEM alerts with information about relevant domains
  • Pivoting through adversary infrastructure / registration data where applicable and up your game from a blocking / monitoring perspective

We’ll even look at how to go proactive by using adversary TTPs (Tactics, Techniques and Procedures) to monitor for domain registration activity and track changes in their infrastructure over time.

DomainTools is the perfect sponsor for this real training for free session and Taylor Wilkes-Pierce will briefly show how they analyze the massive quantity of information they collect about domain names on the Internet to help you find attackers through DNS.

Please join us for this real training for free session.

First Name:   
Last Name:   
Work Email:  
Phone:  
Job Title:  
Organization:  
Country:    
State:  
 

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us.

 

 

Additional Resources