Digital art showing a complex blue landscape of undulating waves and peaks formed by luminous lines, evoking a sense of a futuristic or digital topography.
Webinar
Webinar

Eureka: Why DNS is Forensic Gold

Techniques to find malicious activity based on analysis of DNS resolver logs

As one of the fundamental protocols of the Internet, DNS is involved in nearly every traffic flow into or out of an enterprise environment. Despite its ubiquity, however, DNS is not always recognized for the forensic potential it holds. By capturing and analyzing DNS requests and replies from the local network, security teams can then enrich those events with external, threat-oriented DNS data to help with triage and risk assessment. 

But the possibilities extend well beyond simply assessing the risk of individual traffic flows. Since hostile domains are almost always part of a larger campaign, any DNS activity related to one domain can represent the leading edge of a process that can lead to insights into, and protection from, these larger campaigns. Consider:

  • A connection from the protected environment to a hostile or suspicious domain can be decorated with DNS, Whois, risk scoring, and other enriching data
  • Within those datapoints, connections can be found to other domains or IP addresses
  • Analysis of the connected infrastructure can guide analysts toward enumeration of hostile campaign assets

Armed with this information, threat hunters, incident responders, and other SOC personnel can take specific responsive or proactive actions, including:

  • Reviewing logs and events for additional connections from the protected environment to the larger set of adversary assets, which could have escaped earlier notice
  • Devising detection or blocking rules to protect against the larger campaign
  • Developing insights into adversary tactics, techniques, and procedures (TTPs)
  • Monitoring further moves by the adversary based on known infrastructure patterns

None of these actions would be possible without a) awareness of domains requested by trusted hosts; and b) enrichment of those domains with DNS, Whois, and other such data.

In this live presentation, host Tim Helming will illustrate methods for identifying key sources of DNS data, and for enriching those logs or events with DomainTools APIs, UI-based tools, and third-party integrations, using recently-active threat infrastructure for demonstration.

Related Content

Abstract digital DNS network connections with nodes and lines in purple and blue hues on a dark background, symbolizing concepts of technology and data communication in healthcare.
Webinar

Vital Signs: Using DNS to Predict Adversary Moves in Healthcare

Watch Now
A digital illustration of a complex network, depicted by interconnected lines and nodes with vibrant blue and green colors on a black background, visually represents the concept of "Malicious Intent and You: A Primer on
Webinar

Malicious Intent and You: A Primer on DomainTools Risk Scoring

Watch Now
Abstract image depicting a burst of blue and red light rays emanating from a central bright source, creating a sense of high-speed motion or energy explosion in a dark space, symbolizing the dynamic nature of
Webinar

Protecting Your Environment From the Unknown: Zero Trust and DomainTools

Watch Now
DomainTools Logo
Pricing Contact Login Support Request a Demo

© 2024 DomainTools

DomainTools® and DomainTools™ are owned by DomainTools, all rights reserved.

Privacy Policy    |    California Privacy Notice
Do Not Sell My Personal Information    |    Terms of Service    |    Sitemap