Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DIY DNS DFIR: You’re Doing it WRONG

Andrew Hay
April 13, 2016
Technology
0
120

DIY DNS DFIR: You’re Doing it WRONG

DNS is one of those protocols that we, as DFIR practitioners, take for granted. Operationally, if DNS resolution is working properly, we're happy. Many organizations, however, fail to utilize DNS logs and associated intelligence within their response and investigative activities. This is in part due to the perceived lack of value associated with DNS logs and its associated features, such as name server, WHOIS, and hosting information, and more often due to the unavailability of the logs. This talk will present several tools (both commercial and open source) to help manage the deluge of information on even the smallest of budgets. We will also discuss how to enrich your data with valuable intelligence from freely available sources. Finally, this talk will highlight some real world investigative techniques where DNS and its associated features were used to add clarity to DFIR investigations.

Andrew Hay

April 13, 2016
Tweet

More Decks by Andrew Hay

See All by Andrew Hay
“I” Before “R” Except After “IOC”
andrewsmhay
1
120
An Introduction to Graph Theory for Security People Who Can’t 'Math Good'
andrewsmhay
0
270
An Introduction to Graph Theory for OSINT
andrewsmhay
2
1.9k
The Not-So-Improbable Future of Ransomware
andrewsmhay
0
770
The Not-So-Improbable Future of Ransomware
andrewsmhay
0
650
Building a Security Strategy Without a Security Staff
andrewsmhay
2
130
CircleCityCon - Bootstrapping a Security Research Project
andrewsmhay
0
77
Facilitating Fluffy Forensics 2.0
andrewsmhay
0
75
15 Years Later – Data Awareness In A Post Robert Hanssen World
andrewsmhay
0
86

Other Decks in Technology

See All in Technology
AI長期記憶システム構築のための LLMマルチエージェントの取り組み / Awarefy-LLM-Multi-Agent
iktakahiro
2
350
State of Open Source Web Mapping Libraries
dayjournal
0
200
Mini Tokyo 3D × PLATEAU - 公共交通デジタルツインにリアルな風景を
nagix
1
230
ジョブマッチングサービスにおける相互推薦システムの応用事例と課題
hakubishin3
3
620
20241108_CS_LLMMT
shigashiyama
0
250
【令和最新版】AWS Direct Connectと愉快なGWたちのおさらい
minorun365
PRO
2
150
AWS パートナー企業でテクニカルサポートに従事して 3年経ったので思うところをまとめてみた
kazzpapa3
1
220
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
110
形式手法の 10 メートル手前 #kernelvm / Kernel VM Study Hokuriku Part 7
ytaka23
5
750
地理情報データをデータベースに格納しよう~ GPUを活用した爆速データベース PG-Stromの紹介 ~
sakaik
1
110
Redmine 6.0 新機能評価ガイド
vividtone
0
260
Microsoft Fabric OneLake の実体について
ryomaru0825
0
190

Featured

See All Featured
Building an army of robots
kneath
302
42k
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
Agile that works and the tools we love
rasmusluckow
327
21k
KATA
mclloyd
29
14k
4 Signs Your Business is Dying
shpigford
180
21k
Testing 201, or: Great Expectations
jmmastey
38
7.1k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
27
820
We Have a Design System, Now What?
morganepeng
50
7.2k
Six Lessons from altMBA
skipperchong
27
3.5k
How STYLIGHT went responsive
nonsquared
95
5.2k
Side Projects
sachag
452
42k
Navigating Team Friction
lara
183
14k

Transcript

  1. DIY DNS DFIR: You’re Doing it WRONG Andrew Hay, CISO

    DataGravity, Inc. [email protected] twitter.com/andrewsmhay

  2. 2 About Me • Andrew Hay – Chief Information Security

    Officer (CISO) @ – Former: • Director of Research @ • Chief Evangelist & Director of Research @ • Senior Security Analyst @ – Wrote some books, blog occasionally, and give Rob a hard time on Twitter

  3. 3 Overview • Whirlwind tour of DNS • Why DNS

    is so valuable for TH and IR • Real world example • Available tools • Summary

  4. Whirlwind tour of DNS Hang on tight!

  5. 5 Overview • The Domain Name System (DNS) is one

    of the most essential parts of the Internet’s infrastructure – Some might say it’s the plumbing J • By using DNS, you can connect to a website without having to know the website’s IP address. – After all, who wants to remember every website’s IP address • Recursive vs. Authoritative – Authoritative DNS nameservers are responsible providing answers to recursive DNS nameservers with the IP “mapping” of the intended website

  6. 6 What DNS Looks Like • Recursive DNS nameservers –

    Responsible for providing the proper IP address of the intended domain name to the requesting host. • Authoritative DNS nameservers – responsible providing answers to recursive DNS nameservers with the IP “mapping” of the intended website

  7. Why DNS is so valuable For threat hunting and incident

    response

  8. 8 Why DNS is so valuable • The more data

    you have, the better suited you are to CONSTRUCT A TIMELINE of events • At the VERY LEAST you should be able to MAKE MORE INFORMED DECISIONS • DNS traffic is often the most overlooked and undervalued network-based data source

  9. 9 Why DNS is so valuable • DNS shows you…

    – What domains are being looked up by humans and machines – The frequency at which domains are being looked up – What parts of the world (based on TLD) your systems are trying to hit – Wheather or not the domains being queried are live – If subsequent queries (redirects) are made as a result of a particular query – Wheather or not the queries are attempting to resolve fradulent/phishing sites

  10. 10 Why DNS is so valuable – DGA Detection •

    Domain Generation Algorithm (DGA) – Used to generate domains programmatically • Typically rely on a seed of some sort – Date, time, keyword, etc. • Allows for the registration of domains that no human would ever type

  11. 11 Why DNS is so valuable – DGA Detection •

    Frequently used by malware for dynamic C&C generation • Example – Dyre DGA algorithm – Provided by Talos

  12. 12 Why DNS is so valuable – DGA Detection •

    Also used for marketing campaigns – e.g. Marketo – http://100-AEK-913.mktorest.com/rest/v1/lead/{id}.json

  13. 13 Why DNS is so valuable – Redirects

  14. Real world example Of using DNS for threat hunting and

    incident response

  15. 15 Real World Example: Xerox Printers • Noticed a rather

    odd domain name being beaconed out to: xeroxdiscoverysupernode3.com – Malware? – Phishing? – Drive update site? – Too long to be valid, right? • Domain was not even registered! – Used OpenDNS Investigate – xeroxdiscoverysupernode[1-3].com were each seeing ~2,000 queries per hour

  16. 16 Real World Example: Xerox Printers • Google showed these

    domains as being related to Xerox® WorkCentre® 5845/5855/5865/5875/5890 and 7000-series line of printers • Origin of beaconing was from the McAfee ePolicy Orchestrator (ePO) security module

  17. 17 Real World Example: Xerox Printers Not inexpensive printers…

  18. 18 Real World Example: Xerox Printers • So what were

    they doing? • They were trying to do a handshake – …over the Internet – …because that’s where DNS said the server was.

  19. 19 Real World Example: Xerox Printers • Printers querying from

    all over the world! • Long story short… – Xerox printers querying out to the Internet – Documentation says to configure the xeroxdiscoverysupernode[1-3] domains to point internally – Obviously not everyone read the instructions

  20. 20 Real World Example: Xerox Printers • Registered the domains,

    pointed to a VPS, and monitored traffic.

  21. 21 Real World Example: Xerox Printers • Domains sinkholed(at OpenDNS)

    • Blog post released – http://labs.opendns.com/2014/05/01/xerox-printer-beacons/ • All fixed now, right?

  22. 22 Real World Example: Xerox Printers

  23. Available tools Free and commercial

  24. 24 Free Tools • PassiveTotal – Passive DNS threat-analysis platform

    – https://www.passivetotal.org/ • Site24x7 – Generate a DNS Report for a domain – https://www.site24x7.com/dns-lookup.html • DNSstuff Toolbox – Various tools related to DNS intelligence – http://www.dnsstuff.com/tools

  25. 25 Free Tools (Continued…) • Domaintools – Whois lookup, other

    features for a price – http://research.domaintools.com/ • Elasticsearch, Logstash, Kibana (ELK) – Take data from any source, any format and search, analyze, and visualize it – https://www.elastic.co/ • Graylog – “Open source log management that actually works.” – https://www.graylog.org/

  26. 26 Commercial Tools • PassiveTotal Enterprise (by RiskIQ) – Geared

    towards the enterprise – https://www.passivetotal.org/enterprise • Domaintools – Domain, DNS and Internet OSINT-based cyber threat intelligence (14yrs worth) – http://domaintools.com/ • OpenDNS Investigate – View of Internet domains, IPs, and ASNs – https://www.opendns.com/enterprise- security/threat-intelligence/

  27. Summary This is the end my friends…

  28. 28 Collect DNS query logs Observe network/malware/system comms during incident

    Query/Reference stored DNS to determine scope and scale of exposure Use third-party tools to enrich your findings Eliminate irrelevant communications and investigation targets Isolate queries related to investigation But Before We Go… • I wanted to leave you with a workflow for THIR w/DNS • Hopefully this helps you wrap your heads around how to employ DNS logs during investigations

  29. 29 Summary • DNS is one of the core protocols

    used on the Internet – And by Internet-connected devices – So…like...use it to your benefit, bro! • DNS can be used to focus your investigation and create a timeline of related events/actions • Wealth of tools (free and commercial) available to help generate intelligence and corroborate information for use in your investigations

  30. Questions? Contact me at [email protected] @andrewsmhay