Threat Hunting with DNS – TOP 5 IOCs

DNS has an important role in how end users in your enterprise connect to the internet. DNS is a very important part of an network architecture. Without DNS we would have to memorize all the IP addresses of all the websites we want to use, and believe me that scenario is not friendly e.g. Imagine you have to memorize all the phone numbers that we would want dial to.

Everything that is online uses DNS as a common practice. This includes web browsers, web apps, and even malware. The Malware needs to communicate to its master server for instructions and attackers are well versed in using DNS tricks to avoid detection.

In short, both the “good” the “bad” actors use DNS; there’s no way around it. These breadcrumbs can be used to trace the activity and origin. And these breadcrumbs live in the DNS logs.

Below are some IOC – Indicators Of Compromise that originate in the DNS traffic.

Abnormal Volume of DNS Queries

The first step and the most primary step we can take is to monitor the volume of DNS Queries. Unusual amount of DNS queries generated towards per IP or per domain can indicate traffic being generated to command and control centers. We should be on alert a threat may be present when we see unusual amount of DNS Queries.

Excessive failure of DNS Queries

Malwares that are present on the network will always try to communicate to its CnC to receive instructions. They must rely on DNS to communicate to the domain name. Attackers generally craft the malwares with DGA (Domain Generation Algorithms) through which the malware can communicate to a different domain every time the previous domain gets blocked by security teams.

In such scenarios, it is important to monitor the failed DNS queries, as most security devices will block malicious communication once discovered.

Monitoring for Fast Flux Domains

Fast flux DNS is a technique that a cybercriminal can use to prevent identification of his key host server’s IP address. By abusing the way the domain name system works, the criminal can create a botnet.  In it’s simplest form, malware authors register hundreds (or thousands) of IP address for a given domain.

Monitoring for the DNS requests to for particular domains having multiple ip addresses can play a key role in identifying presence of a malicious actor inside the network.

Unusual Domain Names

The another fact with malwares with DGA, mentioned earlier, is that they generally tend to use random strings in the domain names. For example, asjhdkasjdhasjkajs.net or  kajsasjdnassdiuej.ru . These domains cannot be caught by SIEMs or other monitoring solutions as they are all legit. But these are easy to be caught by human eyes. The only downside is that there are too many DNS records to check manually. They are simply too many and they change every day.

Watch out for top level misspelt domains

This is an age-old and extremely popular trick used by scammers. Also a platform to phishing attacks, using familiar looking domains such as gnail.com or yah0o.com is a most common way to evade human eyes. This creates another problem for analysts who might not give a second glance to, since they would be assumed to legitimate services.

Once a threat is on a network, it still needs to communicate to the outside world. These communication are actively stopped by modern security devices. Security devices are capable of identifying and stopping the threats, but this is alarming. Security professionals, especially threat hunters should use this data to begin their hunts.

While attackers may be using tricks to get around being detected, by investigating a combination of the unusual DNS requests above you should be able to begin a successful threat investigation at least if not conclude it.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.