Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DIY DNS DFIR: You’re Doing it WRONG

Andrew Hay
April 13, 2016
Technology
0
110

DIY DNS DFIR: You’re Doing it WRONG

DNS is one of those protocols that we, as DFIR practitioners, take for granted. Operationally, if DNS resolution is working properly, we're happy. Many organizations, however, fail to utilize DNS logs and associated intelligence within their response and investigative activities. This is in part due to the perceived lack of value associated with DNS logs and its associated features, such as name server, WHOIS, and hosting information, and more often due to the unavailability of the logs. This talk will present several tools (both commercial and open source) to help manage the deluge of information on even the smallest of budgets. We will also discuss how to enrich your data with valuable intelligence from freely available sources. Finally, this talk will highlight some real world investigative techniques where DNS and its associated features were used to add clarity to DFIR investigations.

Andrew Hay

April 13, 2016
Tweet

More Decks by Andrew Hay

See All by Andrew Hay
“I” Before “R” Except After “IOC”
andrewsmhay
1
100
An Introduction to Graph Theory for Security People Who Can’t 'Math Good'
andrewsmhay
0
260
An Introduction to Graph Theory for OSINT
andrewsmhay
2
1.8k
The Not-So-Improbable Future of Ransomware
andrewsmhay
0
750
The Not-So-Improbable Future of Ransomware
andrewsmhay
0
640
Building a Security Strategy Without a Security Staff
andrewsmhay
2
120
CircleCityCon - Bootstrapping a Security Research Project
andrewsmhay
0
74
Facilitating Fluffy Forensics 2.0
andrewsmhay
0
74
15 Years Later – Data Awareness In A Post Robert Hanssen World
andrewsmhay
0
76

Other Decks in Technology

See All in Technology
「スニダン」開発組織の構造に込めた意図 ~組織作りはパッションや政治ではない!~
rinchsan
3
570
非同期推論システムによるコスト削減と信頼性向上
koki_nishihara
0
260
Azureの基本的な権限管理の勉強会
yhana
0
490
Building Dashboards as a Hobby
egmc
0
220
Google Cloud Next '24 Recap(Cloud Run/k8s)
mokocm
0
220
Kernel MemoryでAzure OpenAI Serviceとお手軽データソース連携
mitsuzono
1
250
よく聞くけど使ったことないソフトウェアNo.1 KafkaとSnowflake
foursue
4
360
プロトタイピングによる不確実性の低減 / Reducing Uncertainty through Prototyping
ohbarye
5
390
長期間TiDBを使ってきた話 @ 私たちはなぜNewSQLを使うのかTiDB選定5社が語る選定理由と活用LT / Experiences with TiDB Over Time
chibiegg
2
900
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
2.1k
Delivering Millions of Messages within seconds @ Duolingo
pelelgrino
0
350
Janus
bkuhlmann
1
490

Featured

See All Featured
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
155
14k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
116
18k
Building Your Own Lightsaber
phodgson
99
5.7k
The Illustrated Children's Guide to Kubernetes
chrisshort
31
46k
It's Worth the Effort
3n
180
27k
Art, The Web, and Tiny UX
lynnandtonic
289
19k
Producing Creativity
orderedlist
PRO
337
39k
WebSockets: Embracing the real-time Web
robhawkes
59
7k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
30
6k
VelocityConf: Rendering Performance Case Studies
addyosmani
320
23k
Designing for humans not robots
tammielis
248
25k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3.1k

Transcript

  1. DIY DNS DFIR: You’re Doing it WRONG Andrew Hay, CISO

    DataGravity, Inc. [email protected] twitter.com/andrewsmhay

  2. 2 About Me • Andrew Hay – Chief Information Security

    Officer (CISO) @ – Former: • Director of Research @ • Chief Evangelist & Director of Research @ • Senior Security Analyst @ – Wrote some books, blog occasionally, and give Rob a hard time on Twitter

  3. 3 Overview • Whirlwind tour of DNS • Why DNS

    is so valuable for TH and IR • Real world example • Available tools • Summary

  4. Whirlwind tour of DNS Hang on tight!

  5. 5 Overview • The Domain Name System (DNS) is one

    of the most essential parts of the Internet’s infrastructure – Some might say it’s the plumbing J • By using DNS, you can connect to a website without having to know the website’s IP address. – After all, who wants to remember every website’s IP address • Recursive vs. Authoritative – Authoritative DNS nameservers are responsible providing answers to recursive DNS nameservers with the IP “mapping” of the intended website

  6. 6 What DNS Looks Like • Recursive DNS nameservers –

    Responsible for providing the proper IP address of the intended domain name to the requesting host. • Authoritative DNS nameservers – responsible providing answers to recursive DNS nameservers with the IP “mapping” of the intended website

  7. Why DNS is so valuable For threat hunting and incident

    response

  8. 8 Why DNS is so valuable • The more data

    you have, the better suited you are to CONSTRUCT A TIMELINE of events • At the VERY LEAST you should be able to MAKE MORE INFORMED DECISIONS • DNS traffic is often the most overlooked and undervalued network-based data source

  9. 9 Why DNS is so valuable • DNS shows you…

    – What domains are being looked up by humans and machines – The frequency at which domains are being looked up – What parts of the world (based on TLD) your systems are trying to hit – Wheather or not the domains being queried are live – If subsequent queries (redirects) are made as a result of a particular query – Wheather or not the queries are attempting to resolve fradulent/phishing sites

  10. 10 Why DNS is so valuable – DGA Detection •

    Domain Generation Algorithm (DGA) – Used to generate domains programmatically • Typically rely on a seed of some sort – Date, time, keyword, etc. • Allows for the registration of domains that no human would ever type

  11. 11 Why DNS is so valuable – DGA Detection •

    Frequently used by malware for dynamic C&C generation • Example – Dyre DGA algorithm – Provided by Talos

  12. 12 Why DNS is so valuable – DGA Detection •

    Also used for marketing campaigns – e.g. Marketo – http://100-AEK-913.mktorest.com/rest/v1/lead/{id}.json

  13. 13 Why DNS is so valuable – Redirects

  14. Real world example Of using DNS for threat hunting and

    incident response

  15. 15 Real World Example: Xerox Printers • Noticed a rather

    odd domain name being beaconed out to: xeroxdiscoverysupernode3.com – Malware? – Phishing? – Drive update site? – Too long to be valid, right? • Domain was not even registered! – Used OpenDNS Investigate – xeroxdiscoverysupernode[1-3].com were each seeing ~2,000 queries per hour

  16. 16 Real World Example: Xerox Printers • Google showed these

    domains as being related to Xerox® WorkCentre® 5845/5855/5865/5875/5890 and 7000-series line of printers • Origin of beaconing was from the McAfee ePolicy Orchestrator (ePO) security module

  17. 17 Real World Example: Xerox Printers Not inexpensive printers…

  18. 18 Real World Example: Xerox Printers • So what were

    they doing? • They were trying to do a handshake – …over the Internet – …because that’s where DNS said the server was.

  19. 19 Real World Example: Xerox Printers • Printers querying from

    all over the world! • Long story short… – Xerox printers querying out to the Internet – Documentation says to configure the xeroxdiscoverysupernode[1-3] domains to point internally – Obviously not everyone read the instructions

  20. 20 Real World Example: Xerox Printers • Registered the domains,

    pointed to a VPS, and monitored traffic.

  21. 21 Real World Example: Xerox Printers • Domains sinkholed(at OpenDNS)

    • Blog post released – http://labs.opendns.com/2014/05/01/xerox-printer-beacons/ • All fixed now, right?

  22. 22 Real World Example: Xerox Printers

  23. Available tools Free and commercial

  24. 24 Free Tools • PassiveTotal – Passive DNS threat-analysis platform

    – https://www.passivetotal.org/ • Site24x7 – Generate a DNS Report for a domain – https://www.site24x7.com/dns-lookup.html • DNSstuff Toolbox – Various tools related to DNS intelligence – http://www.dnsstuff.com/tools

  25. 25 Free Tools (Continued…) • Domaintools – Whois lookup, other

    features for a price – http://research.domaintools.com/ • Elasticsearch, Logstash, Kibana (ELK) – Take data from any source, any format and search, analyze, and visualize it – https://www.elastic.co/ • Graylog – “Open source log management that actually works.” – https://www.graylog.org/

  26. 26 Commercial Tools • PassiveTotal Enterprise (by RiskIQ) – Geared

    towards the enterprise – https://www.passivetotal.org/enterprise • Domaintools – Domain, DNS and Internet OSINT-based cyber threat intelligence (14yrs worth) – http://domaintools.com/ • OpenDNS Investigate – View of Internet domains, IPs, and ASNs – https://www.opendns.com/enterprise- security/threat-intelligence/

  27. Summary This is the end my friends…

  28. 28 Collect DNS query logs Observe network/malware/system comms during incident

    Query/Reference stored DNS to determine scope and scale of exposure Use third-party tools to enrich your findings Eliminate irrelevant communications and investigation targets Isolate queries related to investigation But Before We Go… • I wanted to leave you with a workflow for THIR w/DNS • Hopefully this helps you wrap your heads around how to employ DNS logs during investigations

  29. 29 Summary • DNS is one of the core protocols

    used on the Internet – And by Internet-connected devices – So…like...use it to your benefit, bro! • DNS can be used to focus your investigation and create a timeline of related events/actions • Wealth of tools (free and commercial) available to help generate intelligence and corroborate information for use in your investigations

  30. Questions? Contact me at [email protected] @andrewsmhay