by Will Gragido, Chief Strategy Officer – Prevailion, Inc.
Intelligence analysis is dependent upon many things not the least of which are collections and access to data (e.g., pcaps, logs etc.) sourced from within the network. Prevailion affords its customers the ability to view intelligence related to real state of compromise outside the network’s perimeter. And though this is a unique capability and dataset, it requires correlation with data collected from within the network in order to pinpoint specific machines and machine-level activity. Why? To understand, which internal systems are behind the curtain of your public facing addresses. The key to remediation efforts based on Prevailion’s high-fidelity detection of compromise activity coming from your environment and mapping it to internal systems is having access to logging data related to your organization’s DNS architecture.
To begin with, you may want to evaluate your organizations understanding of DNS. DNS is often a setup and forget type of system but is critical to keep the business always operational and often free from security issues. What is DNS you ask? The Domain Name System (DNS) is a hierarchical and decentralized naming system that’s purpose is to aid in the facilitation of communication between devices across the Internet. Put another way, it is the telephone book (remember those?) for the Internet. It acts as distributed directory service that has been in operation since 1985 providing an integral service to what the world enjoys and recognizes today as the Internet. DNS utilizes authorative name servers – servers that provide answers in response to questions posed about names in a DNS zone. Authoritative-only name servers answer questions about domain names that have been configured by an administrator at a registrar or dynamic DNS provider. Name servers can also be configured to act as a DNS catching name server for zones (domains). This type of configuration stores DNS query results for a predetermined period of time for each domain-name record. Things of note with respect to DNS include:
Through the years DNS has been expanded to store records for other types of data useful in providing automatic lookup responses such as DNSSEC records.
There are many different DNS-related events that can be collected from a DNS server. The actual data available is dependent on the DNS server in use. Events that may be available for collection include, but are not limited to:
This metadata may be available for query logging (analytical) events:
DNS provides a critical service within the Internet today providing acting as an authoritative directory for users all over the world. Logging and monitoring DNS within your organization enables both network administrators and cybersecurity personnel alike to detect, identify, and triage issues more quickly in addition to providing them with a more robust understanding of which machines within their environment are communicating with which domains on a regular basis. This in turn, further enhances the network administrator and cybersecurity professionals understanding of what is “safe” or “benign” and what is less so from a DNS perspective. The benefits related to logging and examining DNS are myriad and afford the organizations who do so a deeper, richer, more contextually relevant experience thus affording them the opportunity correlated data and in particular, evidence associated with compromise and breach in a quicker fashion resulting in expedited efforts related to monitoring, observation, containment, and ultimately the ejection of the adversary from the environment. To learn more about how to leverage DNS to quickly determine compromised infrastructure well before traditional intelligence and threat detection solutions, visit Prevailion.com.
For More Information See the Following Sources:
Introduction: Prevailion’s Adversarial Counterintelligence Team (PACT) is using advanced infrastructure hunting techniques and Prevailion’s unparalleled visibility into threat actor infrastructure creation to uncover previously unknown domains associated with UNC1151 and the “Ghostwriter” influence campaign. UNC1151 is likely a state-backed threat actor  waging an ongoing and far-reaching influence campaign that has targeted numerous countries across […]
Prevailion CEO, Karim Hijazi, comments on lacking White House cybersecurity efforts Karim Hijazi lays out why Biden’s cybersecurity strategy lacks innovation and effectiveness to deal with modern adversaries already inside companies around the globe.