Threat Hunting for Domains as an IOC
When threats are detected on a network, domains can serve as good indicators that the network is compromised. In many cases, this compromise could have been detected in time for an effective reaction had the respective domains been analyzed thoroughly. This article will detail threat hunting by using domains as an indicator of compromise (IoC). It will focus on the different ways in which domains can be used to assist in a successful threat investigation.
Indicators of Compromise
IoCs are pieces of forensic data that information security professionals can use to track down threats on their respective systems and networks. Think of IoCs as the proverbial “breadcrumb trail” that threat hunters use to bring them to where the mouse is. IoCs serve as static, go-to data for current known threats, and work best when they are freely shared throughout the greater information security community.
Domain as an IoC
Domains, along with other identifiers such as IP addresses and file hashes, have been traditionally held to be IoCs. This is self-evident in that these classifications of data were created to identify specific activity.
As you can see, domains deserve to be considered IoCs, and they can be found in places such as emails or DNS logs that reflect the traffic accessing, or attempting to access, your network and its resources.
Domains and Emails
Emails that are phishing or social engineering scams can really show their cards, so to speak, when it comes to the domains that they use.
For instance, let’s say that your organization frequently deals with Google in its regular course of business. A coworker approaches you and informs you that they have received an email from Google asking for personal information such as their bank account number, and it even had a strange-looking file attached. You look at the email, hover over the sender email, and see that it is from a domain of “gogle.com.” You also noticed CC emails with the domains gogle.net and google.biz. Based upon these emails, it should be clear to any information security professionals that this email is actually an attack.
DNS logs can come off as daunting, but as long as you have a firm threat-hunting strategy that is also flexible enough to adapt to what it finds, you will be well-positioned for a successful threat investigation.
Know what is normal for your organization and the domains that it normally sends requests to. Every organization is different, but if you do not normally do business with countries like Russia and China and see that requests are now going to those countries, then look deeper into it. If you normally receive only minimal requests from a particular domain and suddenly requests from that domain massively spike, that would be questionable and suitable for further investigation.
- Domain-Generating Algorithms
Attackers often try to cloak their nefarious activity on your network with what is called a Domain-Generating Algorithm (DGA). DGAs are programs or subroutines that provide their malware with new domains whenever it is needed because known offending domains get blocked or revoked frequently. This means that domains can be regenerated by attackers every day or even multiple times per day.
A good measure for if a domain may be suspect is if the domain has only been in existence for 24 hours. If domains that have only been around for 24 hours are sending requests to your network like crazy, then you should block the domain immediately.
- Known Bad or Suspicious Domains
Domains that are notorious for being the source of attacks are generally added to blacklists of domains to block. These domains can be registered on different blacklist websites that allow organizations to check to see if others in the information security community have listed the domain as problematic.
When a DNS server issues an NXDOMAIN response, it means that the domain name server could not resolve that IP address for the domain. This type of message could mean that someone innocently made a typo when typing the domain, but it could also be because the domain is malicious and no longer exists. If you find that a system is trying to send requests but instead only receives NXDOMAIN responses, it could mean that malware has infected that system and compromised it. This should be investigated immediately, as the system may be compromised beyond the ability to use it safely.
- Top-Level Domain
Remember to keep a close eye on the DNS requests that systems on your network receive. If you normally only do business with businesses that have a top-level domain of .com and DNS logs indicate that the requests with .biz and .tv have been inundating your system recently, your network may be under attack. If so, investigate and blacklist the domains if you find that they are not legitimate.
For threat hunters, domains can serve as useful IoCs. Domains are unique indicators of who is accessing your network, and using them as IoCs when you suspect an attack is sound advice when trying to identify if the activity is actually a threat.
Indicators of Compromise in DNS Logs, IT Briefcase
Raise the Red Flag: Guidelines for Consuming and Verifying Indicators of Compromise, SecurityIntelligence