There's a wealth of security intelligence to be gleaned from the logs of your internal DNS servers and from monitoring outbound DNS queries on your network. If you run your own Internet DNS servers you could say the same for inbound queries but in this real training for free ™ webinar I'll be focusing on how to detect compromised endpoints. And that means watching your internal DNS servers and outbound DNS traffic.
Your internal DNS normally sees all DNS queries from all of your endpoints – including those to the outside world for finding websites and other resources on the Internet. This is extremely useful because malware (APTs, ransomware, etc) must find it's command and control server. Most bad guys don't hardcode that IP address for all kinds of reasons; so malware usually relies on the same DNS protocol that good software uses to find IP addresses. But if you know what to look for you can often recognize DNS queries associated with malware. Check the IP address of the endpoint making the query and you've zeroed in on at least one of the systems compromised.
Before you can detect malicious DNS queries you have to be able to see them. And on Windows DNS Servers (the internal DNS server most used in Active Directory environments) you must enable debug logging. The normal DNS event log only provides operational messages such as errors and warnings about the service itself. I'll show you how to enable debug logging, which options to configure, where to find the log and how to interpret it.
Then we'll explore what kinds of analysis to perform in order to detect compromised endpoints including:
- Checking against known malware domains
- Geo location
- Unusual errors
- Newly and least frequently queried domain names
We will also discuss DNS related security issues such as:
- DNS cache poisoning
- Typo-squatting
- Domain generation algorithms
- Fast-flux
- Registrar hacking
The bad guys are even using DNS to hide communications with command and control servers – even for exfiltration of data.
Beyond monitoring DNS server logs, we I'll also explain a simple check to perform on endpoints to detect DNS hijacking and a way to do the same thing at your gateway with an IDS or firewall log.
A. N. Ananth from EventTracker, our sponsor, brought me the idea for this very technical webinar and he will briefly show you the built-in DNS security features of EventTracker.
Don't miss this real training for free ™ event. Please register now!