Activeboard: Threat Hunting by DNS
- Virginia Camuñas Núñez
Introduction
The Threat Hunting by DNS Activeboard allows you identify and investigate potential threats by analyzing patterns in DNS (Domain Name System) queries and responses.
This activeboard not only aids in uncovering advanced threats but also provides actionable insights to improve your organization's overall security posture.
Prerequisites
To use this Activeboard, you must have the following data sources available on your domain:
network.dnslearn more
UmbrellaTop1MmispIndicatorCollectiveDefenseDynamicDNS
Use Cases
IT Operations
Traffic Optimization: Monitor DNS traffic trends to identify and optimize traffic flow within the network.
Resource Utilization: Track top queried domains and geolocation data to ensure efficient resource allocation and load balancing.
Troubleshooting: Diagnose issues such as DNS misconfigurations, service outages, or latency problems.
Security Operations
Anomaly Detection: Identify unusual behaviors such as DNS tunneling or dynamic domain usage that could indicate malicious activities.
Threat Intelligence Correlation: Detect known malicious domains and integrate them with external threat feeds for proactive defense.
Risk Assessment: Generate risk scores based on DNS query characteristics, such as domain length, entropy, and patterns.
Incident Response: Use investigation tools and DNS data correlations to facilitate faster and more accurate incident investigations.
Included Widget Descriptions
Core Metrics and Summaries
Top Queries Domains
This section displays the most frequently queried domains within the organization. Analysts can use this data to:
Identify popular services or websites used by employees.
Detect potential misuse or unusual traffic spikes to specific domains.
Query Types Distribution
Breakdown of DNS query types (e.g., A, AAAA, MX, TXT). Use cases include:
Identifying atypical query types, such as a high volume of
TXTqueries often used in DNS tunneling.Monitoring DNS activity trends and understanding the nature of queries.
Flags Distribution
Visualizes DNS flag distributions, such as response codes (NXDOMAIN, NOERROR). Key benefits include:
Pinpointing misconfigurations or issues causing failed resolutions.
Detecting suspicious patterns, such as frequent
SERVFAILresponses.
Geolocation of Clients
Maps DNS queries to geographic locations based on client IPs. This helps:
Detect anomalous traffic from unexpected regions.
Monitor legitimate usage patterns for operational insights.
Behavior Insights
Unusual DNS Tunneling Detection
Detects patterns indicative of DNS tunneling, such as:
High query volumes to a single domain.
Use of uncommon query types (e.g.,
TXT).Anomalous domain lengths or entropy.
Unusual Subdomain Amount
Highlights domains with an abnormal number of subdomains, which may indicate:
Command and Control (C2): Adversaries often use DNS as a C2 channel to send commands to or receive data from infected systems. These DNS queries may include encoded information and rely on numerous subdomains to evade detection.
Domain Generation Algorithm (DGA): Attackers use algorithms to generate numerous random or semi-random domain names, enabling malware to frequently change C2 servers. DGAs are resilient to domain takedowns and allow adversaries to maintain persistence.
Threat Intelligence Integration
Known Malicious Activity
Cross-references DNS queries with threat intelligence feeds to:
Identify known malicious domains based on MISP data and Devo Collective Defense Threat Feed.
Detect phishing sites, malware domains, and botnet C2 servers.
Dynamic Domains
Monitors domains associated with dynamic DNS (DDNS) services, which allow the IP address associated with a domain name to change dynamically. This flexibility is useful for legitimate purposes, such as hosting servers on dynamic IPs, but is also exploited by adversaries for:
Malware Campaigns: Attackers use DDNS to host malicious infrastructure that can evade detection due to frequent IP changes.
Fraudulent Activities: Dynamic domains are commonly abused in phishing and scam campaigns.
Content Filter Bypass: Internal systems may inadvertently use DDNS services to bypass corporate filtering policies.
OOTB Alerts DNS-Related
Aggregates all Out-of-the-Box (OOTB) alerts mapped to DNS-related MITRE ATT&CK techniques, such as:
Phishing (T1566): Look for suspicious DNS activity tied to phishing campaigns.
Dynamic Resolution (T1568): Detect adversaries dynamically changing DNS resolution to evade detection.
Exfiltration Over Alternative Protocol (T1048): Uncover data exfiltration attempts through DNS.
Application Layer Protocol (T1071): Monitor DNS usage for potential covert communication.
Investigation & Correlation
Risk Scoring Based on Domain Features
Generates a risk value for each domain by analyzing the following attributes:
Domain Length: Longer domains can indicate Domain Generation Algorithm (DGA) usage, as generated domains are often lengthy and complex.
Number of Subdomains: Excessive subdomains may signal tunneling or Command and Control (C2) traffic, as adversaries often use many subdomains to encode data or distribute communication.
Domain Entropy: High entropy domains suggest randomness, often seen in DGAs, which create unique, unpredictable domain names for evasion.
Number of Digits and Hyphens: Unusual patterns in digits or hyphens may indicate malicious domains generated by DGAs or used in obfuscation.
Consonant-to-Vowel Ratio: Abnormal ratios suggest non-human-readable domain names, often a hallmark of generated or malicious domains.
Suspicious Top-Level Domain (TLD): Identifies domains with TLDs associated with known malicious activities or low-reputation regions, enhancing the precision of risk evaluation.
Is Top1M Top Level Domain: Validates if the domain belongs to the top 1 million globally recognized domains, helping prioritize analysis of less common or potentially malicious domains.
This scoring mechanism helps prioritize domains for further investigation and ensures a focus on high-risk activities.