Threat Hunting for Unusual DNS Requests

Searching for Unusual DNS Requests is a standard method for threat hunting. The presence of Unusual DNS Requests can often tip off Information Security professionals to attackers trying to gain entry to their network. This article will detail how Unusual DNS Requests can be of great benefit to Information Security professionals tasked with threat hunting.

Indicators of Compromise

Indicators of Compromise (IoC) are pieces of forensic data that identify potentially malicious activity on a network or computer system. IoCs help Information Security professionals to detect data breaches, malware infections, or other threats on their respective networks. This, in turn, allows organizations to detect attacks and respond in a timely fashion to prevent breaches from occurring or limit damages by stopping attacks as early as possible.

Unusual DNS Requests is considered to be a standard IoC item used by Information Security professionals for threat hunting. This is because patterns left by malicious DNS queries are glaring red flags that an organization is about to be breached.

According to Wade Williamson, senior security analyst at Palo Alto Networks, “Command-and-control traffic is often the most important traffic to an attacker because it allows them ongoing management of the attack and it needs to be secure so that security professionals can’t easily take it over. The unique patterns of this traffic can be recognized and is a very standard approach to identifying a compromise.” With this said it is clear why Unusual DNS Requests are a key indicator that data compromise is imminent.

Why DNS?

DNS is one of the major pillars that powers the Internet. Everything that is online uses DNS as a common practice. This includes web browsers, web apps, and even malware. The Malware needs to communicate to its master server for instructions and attackers are well versed in using (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Greg Belding. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/FwELGzoLA8k/