DNS Analytics, What Is It and Why Is It Important?

Cyber Security Practitioner Series brought to you by:

RevAd Freight Fixed.png
chris mcnab.jpg

For our next installment in the Cyber Security Practitioner Series, we interviewed AlphaSOC co-founder Chris McNab about DNS (Domain Name Server) analytics, it's importance, and what AlphaSOC is doing about it. 

Chris discusses his Splunk app, DNS Analytics for Splunk, and how AlphaSOC uses it to find anomalies and malware by analyzing the DNS logs. 

Tell us a bit about yourself, your background and what you're currently working on.

I'm a co-founder of AlphaSOC and author of Network Security Assessment (O'Reilly Media) which is a penetration testing title in its 3rd edition! I've worked in the security industry since 2000 on the consulting side of things, focusing on assessment work, and in recent years a lot of incident response and forensics. I tracked Alexsey Belan a few years ago, and put together a blog post recently describing his TTPs (https://medium.com/@chrismcnab/alexseys-ttps-1204d9050551) after it was publicly known he was associated with the massive Yahoo hack. We set up AlphaSOC back in 2013 upon realizing that DNS was a reliable and inexpensive channel to pay attention to when flagging malware and lateral movement in large networks.

What is DNS analytics and why is it important?

DNS Analytics for Splunk is the flagship AlphaSOC product that we've been working on and continuously improving since 2013. It's an app, for Splunk and non-Splunk environments,  that takes minutes to deploy and will instantly flag anomalies and malware within an environment by processing DNS logs. The analytics engine is actually platform agnostic. While many of our customers use Splunk, we support non-Splunk environments as well via Network Flight Recorder (https://github.com/alphasoc/nfr) which is a lightweight Linux command-line utility. Most security products used within a SOC perform one-dimensional correlation of threat intelligence feeds, flagging traffic to known bad domains. DNS analytics performs three-dimensional scoring using behavioral analytics and timing analytics to flag anomalies, emerging threats, and malware without signatures. For example, we're able to programmatically flag DGA traffic and DNS tunneling using analytics alone (versus threat intelligence feeds), and highlight odd traffic patterns (e.g. beaconing to a young domain with a suspicious TLD).

What are the threat intelligence feeds you use in your product and how does that help identify threats? Any specific examples you could touch on?

We curate our own threat intelligence through investigating the alerts within the system and marginal hits (e.g. young domains and FQDNs known to sandboxing engines). As such, we're able to categorize adware, unwanted programs, third-party VPN packages, P2P traffic, and malicious traffic patterns to C2 domains. Of the alerts we serve to users, only a small percentage are generated using a threat intelligence correlation, and the majority are generated by the analytics stack to highlight suspicious queries within the larger DNS dataset (which is often millions of events per day). As we improve the classifiers and analytics engine, we actually become less and less dependent on threat intelligence, which isn't a bad thing.

How much malware actually uses DNS for command and control?

According to research by Infoblox and BlueCat Networks, around 95% of malware families use DNS for command and control (C2). Even state-sponsored malware samples such as Stuxnet have been found to use DNS for C2 purposes. DNS has been found to be a reliable channel to pay attention to when identifying infected hosts within an environment.

How does AlphaSOC flag infections that don't generate DNS traffic?

To cover the small blindspot that remains (exploited by the 5% of malware families not using DNS), we've released IP Analytics for Splunk to flag anonymized circuits (e.g. Tor, I2P, and Freenet) and traffic to IP addresses which are known C2 and sinkhole destinations.

How can someone get started leverage AlphaSOC analytics to help protect their enterprise?

If you have Splunk, the DNS Analytics (https://splunkbase.splunk.com/app/1657/) and IP Analytics (https://splunkbase.splunk.com/app/3721/) apps are free to download and evaluate for 30 days without restriction. By using the tools to process your network logs, you can flag known and unknown malware, emerging threats, and policy violations (e.g. third-party VPN use, P2P traffic, cryptomining, and other threats). The visibility provides a lot of insight into what's going on within large complex enterprise environments. If you don't have Splunk, take a look at Network Flight Recorder (https://github.com/alphasoc/nfr) which is our Linux command-line utility to score DNS traffic and get in-touch with us to discuss your requirements! The analytics API and feeds that we provide can be consumed easily and integrated with SIEM and orchestration platforms.