DNS is woven into the fabric of both the Internet and corporate intranets. It works so well that we forget it even exists, until it doesn’t work or is used against us.
The bad guys haven’t forgotten or ignored DNS, and it’s become an increasingly abused protocol. In fact, they are using, leveraging and exploiting DNS more and more to hide their communication right under our nose. In this real training for free event we will use network forensics tools and full packet captures to analyze and compare legitimate, innocent DNS traffic with suspicious DNS packets – all to show you how to recognize malicious DNS when you see it.
First though, I’ll give you a brief but technical introduction to DNS itself. You’ll learn how it’s normally a simply session-less question and answer protocol. I’ll also explain how DNS supports more than just the standard “What is the IP address for this domain name?” question (for example, via TXT queries). And we’ll actually dive deep into samples of this legitimate DNS traffic so you see what it actually looks like on the wire.
Then we’ll transition to the malicious use of DNS and show you more samples of:
- Domain-generation-algorithm (DGA) queries
- Command and control (C2) data tunneled through DNS
- Data exfiltration via tunneled DNS
Attackers often obfuscate date before sending it in DNS packets so we’ll decode some samples of that as well.
Finally, we’ll talk about detection and explain the value to these correlation points
- Inferring sessions on a session-less protocol
- Packet quantity
- Total bytes
- Comparing domain names to lists like Alexa’s Top 500 sites
- Least queried domain names
LogRhythm is our sponsor and Rob McGovern (Senior Technical Product Manager, Network Monitoring) and Erika Noerenberg (Senior Malware Analyst) are joining me, and we’ll use their Network Monitor Freemium tool to show you these DNS samples and demonstrate how to analyze DNS traffic for malicious activity. Ahead of our training feel free to download their NetMon Freemium so you can mirror our searches and DNS discovery.