Why DNS Anomaly Analysis is Important for Your Business
Why DNS Anomaly Analysis Matters
Five times in the last 24 hours, Trusted Internet identified domain name queries to recently registered domains by a home automation and security system controller. This is not unusual, but it can show how the analysis of Domain Name System (DNS) queries can be used to find anomalies that security tools or the untrained eye might not otherwise see.
What is DNS?
DNS, or Domain Name System, is like the internet's address book. It translates user-friendly domain names (like www.example.com) into numeric IP addresses that computers use to identify each other on the network. DNS helps you find websites by converting human-readable names into machine-readable addresses. DNS logging plays a crucial role in network security monitoring as it analysis of the logs can lead to the detection of DNS attacks in real-time, facilitating proactive blocking measures to mitigate potential threats to your computer system. And by analyzing DNS queries, an analyst can find hints that might not have been seen elsewhere.
Trusted Internet's Threat Intelligence team examines tens of thousands of Domain Name System (DNS) logs daily, seeking out potentially malicious domains not otherwise flagged by available threat intelligence sources.
Like the Internet, the Domain Name System was not built for security. Today, however, malicious actors exploit DNS for various nefarious activities such as data theft, denial-of-service attacks, command-and-control operations (Back Door), and other malicious behaviors.
What DNS Anomalies Are We Looking For?
Anything that appears abnormal. For example:
Communications with newly registered domains might show that a domain was built for nefarious purposes.
Spelling of a domain name could be meant to trick a user.
Dashes in the domain name, i.e., bad-domain.com
Misspelled brand names i.e., trastedinternet.io
A mixture of miscellaneous characters, i.e., asdfye.com
Brand name as the sub-domain, i.e., google.domain.com
Domains starting with the characters xn-- (This means that the domain name includes non-ASCII characters, for example, ä)
Domain name includes service-related words, i.e., support, login, and account.
The problem? DNS generates a LOT of activity, making it nearly impossible to analyze without filtering or good machines, especially considering a single customer might generate 700,000 log entries in 24 hours (Figure 1).
Figure 1 – Raw Unfiltered log
How Manual Work and Machine Learning Provide the SOC what they need to protect our clients.
Manually, we implement filters to exclude legitimate domains like google.com, and you'll find that the remaining data becomes significantly more manageable and actionable with only 500 entries to review (Figure 2).
And by using Machine Learning and AI (Artificial Intelligence) in a secondary analysis setting. While Intel uses our internal analytic stack, we also rely on ML/AI in an Open expanded Detection and Response (XDR) system to watch flows of communication for size, spelling, volume, and other variables that might offer a glimpse into anomalies, that the SOC (Security Operations Center) can then follow up on.
Figure 2 – Filtered Log
Trusted Internet Intelligence and 24/7 Security Operations Center (SOC) teams watch these activities closely, actively tracking ongoing cyber threats and swiftly executing necessary remedies to halt potential threats, staying one step ahead.
Additionally, we have increased the number of seasoned Virtual Chief Information Security Officers and Threat Intelligence personnel to create a new Executive Cyber Security Support Team, which allows clients to call in, in real-time, for help.
For more information, don't hesitate to contact Trusted Internet at staysafeonline@trustedinternet.io.
References:
hxxps://unit42.paloaltonetworks.com/proactive-detector/
hxxps://dnsabuseinstitute.org/best-practices-identification-mitigation-of-dns-abuse/
hxxps://unit42.paloaltonetworks.com/malicious-newly-observed-domains/
hxxps://www.du.edu/it/services/security/5-url-warning-signs
