Cyber Hunting with DNS

Cyber predators are waiting to go for the kill, so you need to hunt them down first. Neena George, Solution Architect, talks about how to go cyber hunting for threats using DNS data taken off the wire.

Cyber Hunting with DNSBy Neena George    16 June 2016      Thinking

Hunt or be hunted. In today’s cyber universe, there are no two ways about it. The predators on the “dark” side are continuously watching your organization, and probing your networks. In all likelihood, they have already stealthily established a foothold and are waiting to go in for the kill.

If your cyber warriors are passively waiting to respond to alerts of known indicators of compromise that cross your perimeter defenses, you may have already fallen prey to a breach. To evolve from prey to predator, your cyber security strategy needs to evolve from defense to a hybrid strategy of defense and offense. Instead of using existing security tools and processes as shields, they must be utilized to both seek out and identify new threats while still defending.

Threat intelligence feeds, signatures and rules, rely on large systems and open source research to gather and dispense information on latest threats. They remain a good resource to identify threats across the constantly evolving landscape and guard against them. However, cyber hunting techniques can help actively ferret out and determine the profile of attacker footprints already existing in your network. These hunting capabilities allow organizations to find unknown malware that may have gotten by passed perimeter defenses. A combination of threat-profile-based alerting and active cyber hunting is the best offensive strategy against threats, and DNS data is a valuable resource that can be used for both.

DNS remains one of the cornerstones of internet communication. This means both the “good” the “bad” actors use it—there’s no way around it. Most modern malware uses DNS as a way to connect back to their Command and Control center, and in doing so leave a trail of DNS-based network information evidence on domain names and IPs. These breadcrumbs can be used to trace the activity and origin.

And these breadcrumbs live in the DNS logs. But, analyzing DNS logs from across all the resolvers of an organization is a prodigious task. Logging formats and abilities make normalizing and analysis of these logs difficult, and the sheer volume becomes overwhelming, quickly. That’s not to mention visibility into queries going to open resolvers, like Google’s name-server or open DNS, which sidestep organization resolvers.

All of issues can are solved by capturing all DNS activity off the wire, the single-source view into all DNS queries made to malicious or non-malicious domains, and their corresponding responses traversing between hosts and all resolvers. Information on domains used by malicious actors can easily be obtained from threat feeds to add to a firewall or web proxy “blacklist” for perimeter defense. But merely adding this information to a blacklist is insufficient. This may prevent an internal infected resource from contacting a known bad domain, but the infection still resides on that host within your network. Maybe it has already propagated internally. Firewalls or proxies provide no insight into this lateral movement.

Corvil Security Analytics operationalizes this threat intelligence and identifies the systems in the organization that attempted to establish contact with known bad domains by matching the domain names in the threat feeds to DNS queries issued by host systems, thus pinpointing which resources in the network need to be cleaned up. The network communication data stored by Corvil can be used to analyze if the infection has propagated within the network. By running newer threat information retrospectively against the data, we get an updated list of compromised systems and can check for previous exfiltration attempts.

The more interesting aspects of DNS data, however, go far beyond correlating threat feed domain information to DNS queries on the wire. As an example, malware operators frequently use Domain Generation Algorithms to generate thousands of domain names. Malware cycles through these domains, knowing full well that only very few of these are going to result in established contact. This means that a vast majority of the queries made by malware infected systems result in NXDomain responses. A certain amount of NXDomain responses is to be expected due to user error and typos, but if the number of NXDomain responses from a host shows a sudden spike, and if domains point to unusual domains (abnormally long, unexpected or otherwise abnormal), these are very likely to be associated with DGA and warrant further investigation.

Corvil Security Analytics easily pulls out these NXDomain responses, and gives information on who is generating these domains and the exact domain information in a single click. IP addresses could also prove useful in hunting out threats. Having a single domain that resolves into more than one IP is perfectly normal. But with legitimate sites, these IP’s exhibit homogenous spread in terms of geographical location, ownership or address block. For malicious actors that use fast flux techniques (where a single domain name swaps through resolving into multiple IP’s at a very high frequency), these are likely to result in greater heterogeneity. Examining the IP responses mined from the DNS responses may yield surprising insights.

The list of systems identified as DNS resolvers can be used for even further hunting. Comparing this list to a known list of resolvers can identify if policies are being bypassed due to infected systems or non-compliant users. Additionally, unusual sources of MX queries can be useful to identify infected systems attempting to send out spam. Typically, only an organization’s email server or DNS server should be issuing MX queries.

Facets of DNS communication like large response sizes (>512 bytes), or tunneling activity would warrant investigation too, as they can be indicative of data exfiltration or covert communications. These are just a few examples of how to be on the hunt for threats in your network using DNS data. With Corvil’s Security Analytics solution, all DNS data is decoded live, meaning every aspect of communications—query types, response types, domain names, IPs resolved to—are all easily available for investigative hunting.

So what are you waiting for? Happy cyber hunting!

Cyber Hunting with DNS

Neena George, Solution Architect - Security, Corvil
Corvil safeguards business in a machine world. We see a future where all businesses trust digital machines to algorithmically conduct transactions on their behalf. For some businesses, this future is now.

You might also be interested in...