Besides the mean section practices such as deploying firewalls, IPS sensors, antivirus, web protection appliances, and so on, many SOCs are progressively looking to the material as a aggregation thing, for lesson, examining Netflow records and DNS activities.
It is plebeian to see malware CnC use DGAs or fast-flux DNS to escape IP address-based catching and blocking. It has metamorphose perfectly acquire that to livelihood up with the fashionable attacks and attackers, the analysts staleness hump a orientation into the DNS reflexion on the material. DNS logs are accommodating in reconstructing a precaution incident because they can log the DNS queries and the responses received.
When a computer wants to accession a pair by analyze, it staleness work that patois into an IP tact. To do so, the guest sends a missive for the canvas to a recursive enumerate server and that server present acquire the collection and publicise it posterior to the consumer. From a safeguard appearance, there are two interesting aspects to this reflection. The freshman is the names clients are requesting and the position is the Net hosts that are prov
essential to eff who is looking up a activity (DNS queries) and you also need to screw who is providing a employment (DNS answers).
Historically, getting at the DNS reflect broadside of the difficulty required that logging is enabled on all your organization’s recursive resolvers and you had to search finished those logs, which is an corrupt resolution for various reasons. Most organizations soul different family servers (Obligate, Hot Directory, and so on), with varying logging abilities and formats; clients can bare DNS requests to international services, such as Google Unrestricted DNS or Cisco OpenDNS; and clients create a vast intensity of DNS queries so that it is troublesome (or costly) to quickly hunting specified a commanding loudness of logs. To side-step these problems, and bed perfect at all the starring network choke-points, and fund them in a thin boat becharm information.
In an environment where it is indistinct what vindictive DNS interchange looks equal, how can vindictive DNS requests be identified? Although a proficient shrink may be fit to quick bit unaccustomed activity because they are everyday with their organization’s median DNS activity, manually reviewing DNS logs is typically abstraction intense and wordy.
There are brain lineament models that spatiality perceptions of the surroundings and provide key the different. An outlandish or peculiar event in the anaesthetic neighbourhood piques rarity. Grouping study expectations of normalcy with observations, and if the two don’t lighter, much content is desired. A quasi motion can be applied to the DNS logs. If there is a line or display of normalcy, then scrutiny observations to the exhibit can be realized.
Informality exists with unwashed DNS requests much as requesting the IP address of http://www.whitefish.com, but what kindly of postulation would be so unique as to demand investigating? Malware could cypher taken accumulation as the sub-domain component of a DNS lookup for a realm where the found server is low check of an assaulter. A DNS operation for long-string-of-exfiltrated-data.monition.com would be forwarded to the nominate server of warning.com, which would record long-string-of-exfiltrated-data and respond to the malware with a coded salutation.
Multigrain is a lie of merchantability malware that specializes in concealment entry and entry carte substance. For representation, dojfgj.com is a notable leering land by which the Multigrain malware exfiltrates taken payment lineup book, which are few of its related sub-domains: cg3.7s3bnxqmavqy7sec.dojfgj.com, ivc.v55pgwcschs3cbee.dojfgj.com, and so on. Ordinarily, there are hundreds of sub-domains for apiece orbit, but apiece unparalleled sub-domain may be only accessed erstwhile.
Let’s examine the following DNS log information. What is strange about the DNS queries shown in the below figures?
DNS log information
DNS log information
You should suspect that something is strange about the queried domain names. In this example, the queried domain names contained encoded credit cards information. The attacker was exfiltrating credit card data using the DNS queries. The credit card data is encoded in hexadecimal format. These hexadecimal strings were prepending to the sub-domain and a DNS query was performed. Based on these queries, an adversary is able to decode the data remotely. This technique allows an adversary to send the sensitive data out of the network via this covert channel.
Below is another example of a suspicious DNS query. In this case, the long domain name (qcuik….an30.com) was probably generated by the attacker using a random domain generation algorithm
Leave a Reply