Employing DNS in network security

Revealing Traces

Automated Counter to Hackers

The most advanced companies and vendors feed DNS telemetry data – also known as passive DNS – into data stores and then have the data analyzed by machine learning algorithms. Sophisticated algorithms can detect various types of malicious activity in passive DNS data, including, for example, requests sent by a domain generation algorithm (DGA), which is code that automatically creates a list of domains used by malware clients to communicate with a number of command-and-control (C&C) sites.

These domains serve as a meeting point for malware- and hacker-controlled servers that communicate secretly over a backhaul network. Once one of the DGA domains is detected and blocked by IT security, the malware client and C&C server move to the next domain on the list to bypass the defenses. For example, the defense algorithm can detect patterns in the newly created domain names and directly identify them as threats.

Conclusions

DNS is an indispensable part of any modern security toolkit, playing both an active and a supporting role in securing networks and tracking malicious activity. Moreover, DNS is a central tool already in place connecting all departments, which can facilitate the paradigm shift away from silos and toward a holistic integrative approach.

Infos

  1. Cost of a Data Breach Report 2021: https://www.ibm.com/security/data-breach

The Author

Steffen Eid is a Manager for Solution Architects in Central Europe at Infoblox.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Malware analysis in the sandbox
    In malware analysis, a sandbox can provide insight into the software and its run-time environment. While a sandbox can prevent the execution of malicious code with built-in detection mechanisms, malware developers can use countermeasures to take advantage of those same detection mechanisms.
  • Open source forensics for adaptive detection of threats on CRITIS networks
    The open source tool Velociraptor is at the heart of a solution that automatically detects cyber threats in industrial environments, offering a defensive strategy and protecting critical infrastructures.
  • Diving into infrastructure security
    How to deal with threat intelligence on the corporate network when the existing security tools are not effective.
  • DNS name resolution with HTTPS
    Now that web content is encrypted by HTTPS, the underlying name resolution is often unprotected. We look at the classic DNS protocol and investigate whether DNS over HTTPS could be the solution to ensure the confidentiality of DNS requests.
  • Security analysis with Microsoft Advanced Threat Analytics
    Classic security safeguards, like antivirus and firewall products, are imperative for system protection. To search proactively for network intruders, as well, Microsoft offers Advanced Threat Analytics – a tool that will help even less experienced admins.
comments powered by Disqus