Home / Blogs

Persistent Threat Detection on a Budget

Gunter Ollmann

If there's one simple — high impact — thing you could do to quickly check whether your network has been taken over by a criminal entity, or uncover whether some nefarious character is rummaging through your organizations most sensitive intellectual property out of business hours, what would it be? In a nutshell, I'd look to my DNS logs.

It's staggering to me how few security teams have gotten wise to regularly interrogating the logs from their recursive DNS servers. In many ways DNS logging can be considered sprinkling flour on the floor to track the footsteps of the culprit who's been raiding the family fridge. Each step leaves a visible impression of where and how the intruder navigated the kitchen, and their shoe size.

Whenever an electronic intruder employs their tools to navigate your network, tries to connect back to their command and control server, or attempts to automatically update the malicious binaries they've installed upon the system they have control over (or wish to control), those victim devices tend to repeatedly resolve the domain names that that attacker is operating from. Therefore, armed with a list of known bad domain names and/or IP addresses, it's a trivial task to mine the DNS logs and identify any successful intrusions.

Depending upon how authoritative your "blacklist" of criminal domains is, and how picky you are about the IP destinations that the domain names are resolving to, you can rapidly spot those nefarious shoe impressions in the flour.

One word of caution though, this isn't a comprehensive technique for detecting persistent threats operating within your network — but it is one of the simplest! It also has the highest impact — particularly if you're operating on a shoestring budget.

An obvious limitation of DNS log mining is the depth and accuracy of the blacklist you're matching DNS events to — so you'll want to ensure that the list you're using covers the types and classes of threats you're most interested in detecting. While there are plenty of free blacklists out there, the vast majority of them deal with spam, phishing and drive-by hosts… so you'll want to invest some time shopping around a little.

Here are a few tips to using DNS as a means of detecting persistent threats (advanced or otherwise):

  • Turn DNS logging on! Seriously, do it now… you can read the rest of this blog after you've turned it on.
  • Select a bunch of relevant blacklists that contain malicious domains associated with the threats (and criminal actors) you're most interested in.
  • Create a list of IP address ranges for countries, companies or regions that computer systems within your organization shouldn't be communicating with, and use this as a second-pass filter for spotting other unwanted or likely malicious traffic.
  • Scrape your DNS logs frequently — ideally at least once per week.
  • If you're worried about a handful of specific threats (e.g. a criminal operator or state that is likely targeting your organization), scrape your DNS logs for relevant domain names hourly — and alert upon their discovery.
  • Even if you're only scraping you're DNS logs weekly, don't throw them away after you're done. Try to keep your DNS logs for multiple years at least. (Note: DNS logs compress to almost nothing — so they're not going to take up much space).
  • Consider scraping all the older logs (going back up to 5 years) once a month or so. New domains will be added to the blacklists you're using over time, and new intelligence can shed new insight in to past intrusions. It'll also help to establish when the intruder first compromised your network when you do find one.
  • If your DNS server allows it, turn on logging of "failed" lookups — i.e. NX domain requests. While these events won't help in your blacklist lookups, they will help identify malware families that make use of domain generation algorithms (DGA) as well as "broken" applications within your network that need some tuning in finding their legitimate destinations.

DNS log scraping can be conveniently done off-line through simple batch script processing. So the impact on the team responsible for securing the corporate infrastructure is minimal after a nominal development investment.

If you're not happy with the quality of the blacklist you'll be able to bring to bear in uncovering the persistent threats likely already operating within your environment, or if it would be helpful to do a "one-off" check of your DNS logs and to help build the internal business case for investing in a more permanent detection solution, let me know. I'll happily introduce you to our team at Damballa Labs that can help (they could also detect those pesky DGA-based infections too).

By Gunter Ollmann, Chief Security Officer at Vectra

Related topics: Cyberattack, Cybersecurity, DNS

 
   

Don't miss a thing – get the Weekly Wrap delivered to your inbox.

Comments

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

Verisign

Cybersecurity

Sponsored by Verisign
Afilias

DNS Security

Sponsored by Afilias
Afilias Mobile & Web Services

Mobile Internet

Sponsored by Afilias Mobile & Web Services

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Radix Adds Dyn as a DNS Service Provider

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll