Threat Hunting for Unusual DNS Requests
Searching for Unusual DNS Requests is a standard method for threat hunting. The presence of Unusual DNS Requests can often tip off Information Security professionals to attackers trying to gain entry to their network. This article will detail how Unusual DNS Requests can be of great benefit to Information Security professionals tasked with threat hunting.
Become a certified threat hunter
Indicators of Compromise
Indicators of Compromise (IoC) are pieces of forensic data that identify potentially malicious activity on a network or computer system. IoCs help Information Security professionals to detect data breaches, malware infections, or other threats on their respective networks. This, in turn, allows organizations to detect attacks and respond in a timely fashion to prevent breaches from occurring or limit damages by stopping attacks as early as possible.
Unusual DNS Requests is considered to be a standard IoC item used by Information Security professionals for threat hunting. This is because patterns left by malicious DNS queries are glaring red flags that an organization is about to be breached.
According to Wade Williamson, senior security analyst at Palo Alto Networks, “Command-and-control traffic is often the most important traffic to an attacker because it allows them ongoing management of the attack and it needs to be secure so that security professionals can't easily take it over. The unique patterns of this traffic can be recognized and is a very standard approach to identifying a compromise." With this said it is clear why Unusual DNS Requests are a key indicator that data compromise is imminent.
DNS is one of the major pillars that powers the Internet. Everything that is online uses DNS as a common practice. This includes web browsers, web apps, and even malware. The Malware needs to communicate to its master server for instructions and attackers are well versed in using DNS tricks to avoid detection.
Unusual DNS Requests
The following Unusual DNS Requests are commonly used for threat hunting:
- Unusual DNS query failures
Typically, malware that is on a network will beacon out to its master server for attack instructions by using a domain name. Attackers usually try to stay on the network as long as possible by using a domain name until they are detected. Since Information Security professionals can simply block the connection once discovered, attackers tend to use DGA (Domain Generation Algorithms) to evade detection and blockage. These algorithms allow attackers to escape detection by generating random domain names.
This one could end up being the dead ringer that tips you off to a possible breach from a threat. Domains that looks as though they have been generated randomly such as dfkddd.com or eijresfdfd.net or even containing an IP address, such as 18.104.22.168.gogle.com should set off some alarms.
Domains such as this should be analyzed with what is called the Rinse and Repeat method. Rinse and Repeat is where you analyze the traffic in your logs, define what is normal traffic (also called whitelisting), remove it from your logs and then analyze again. This will most likely show you where your investigation should kick off at.
Often, these DNS requests will come from parts of the world such as Russia or parts of the South Pacific, with top-level domains of .ru and .tk respectively. This traffic should be suspect when they are involved in any suspicious DNS request activity.
Most employees do not need to send DNS requests when they are not in the office or when it is not during business/office hours.
The volume of DNS traffic per IP or per domain can signal connections to command and control master servers. When you see an abnormal volume of these DNS queries, you should be on alert that a threat may be present.
Another good indicator of whether your network is under threat is by looking to see if there are any instances of denies outbound traffic. Despite the best efforts of your Information Security team, threats still may make their way into your network. This is problematic, but it is entirely detectable and can be used to find threats that are present.
What happens is once a threat is on a network, it still will need to communicate with its master server. This communication is often choked out by firewalls and other network security devices. Once this happens, keep a level head, and investigate where the outbound communication originated. Modern network security devices normally have no problem with detecting and stopping this traffic and professionals tasked with threat hunting should use this traffic data to help them begin their investigation if they haven’t already.
Unusual DNS Requests, while alarming, should be used by Information Security professionals to hunt down threats on their respective networks. While attackers may be using tricks to get around being detected, by investigating a combination of the unusual DNS requests above you should be able to begin a successful threat investigation at least if not conclude it.
Become a certified threat hunter