Surveilling Outbound DNS Queries to Disrupt Phishing and Cutting Off Malware from C&C

Here is a simple premise that can be devastatingly effective against multiple types of attacks – early in the attack life cycle: First, nearly every attack today, at multiple points during the attack, relies on DNS to locate Internet based elements of attacker infrastructure such as:

  • Phishing landing pages
  • Staging servers
  • Droppers
  • Command and Control
  • Exfiltration points

Second, we have at our disposal a variety of effective methods for analyzing domain names and predicting their likelihood of being malicious.

Taken together, it becomes imperative to analyze outbound DNS queries from logs supplied by DNS servers or Internet gateways to identify endpoints on your network trying to access malicious domains on the Internet. 

Most organizations start out by analyzing the logs of outbound DNS queries with DNS security analysis software or at least comparing them to a threat intel list. Then investigating endpoints making suspect queries. This method is an extremely valuable indicator for threat hunting and security monitoring. And it is relatively un-intrusive, since its simply logging from source DNS or Internet gateways. But it is admittedly after-the-fact.

The next level up in exploiting outbound DNS queries is to implement real-time protection, where the domain analysis takes place synchronously and positive results allow you to respond with a bogus ip address or even re-direct to an internal page to explain that the query was blocked. Part of the story with this method relies on “Domain Name Service Response Policy Zones” (DNS RPZ), which is a method that allows a nameserver administrator to overlay custom information on top of the global DNS to provide alternate responses to queries (dnsrpz.info).

In this real training for free event, we will explore how to surveil outbound DNS queries to disrupt phishing and cut off malware from command and control servers.

DomainTools is the perfect sponsor for this subject because their secret sauce is their vast database of domain name data and machine learning models for predicting malicious domains. Tim Helming will discuss how to make the most efficient use of the defensive and forensic power of your DNS telemetry, including:

  • How to pre-filter the high volume of DNS resolver traffic to pinpoint the most interesting traffic
  • How to determine what makes that traffic interesting
  • Methods of building DNS-based detections
  • Some of the advantages of DNS-based security policies
  • How DNS-based insights into adversary infrastructure can help provide much more context on potentially malicious traffic flows observed in your environment