Passive DNS Strategies for Aggressive Threat Hunting

Go Back in Time with Farsight DNSDB Scout To Make Connections Today

What good can possibly come from digging up the past? Plenty - if you’re a threat hunter looking for clues between seemingly unrelated assets. As the industry is aware, cybercriminals iterate on their techniques or splinter or reform groups. But they make mistakes, leaving traces of evidence we can use to gain context and make valuable connections. 

In this presentation, DomainTools Chief Information Security Officer (and erstwhile full-time threat hunter) Daniel Schwalbe will cover basic investigative techniques and methodologies for how to use Farsight DNSDB for Threat Hunting. 

Using DNSDB Scout, we’ll show how to easily and quickly uncover previously unknown connections between often overlooked relationships. By using IP addresses and domain names, we can map online infrastructure and share tricks for finding proverbial needles in the Internet haystack! 

Threat hunters will leave this presentation with an introduction to: 

• “Standard Search” and “Flexible Search queries against the DNSDB API
• Using regular expressions for finding patterns in fully qualified domain names and DNS resources
• Techniques for searching content in “lesser known” Resource Record Types such as SOA and TXT