Knowing What to Trust
With the proliferation of top-level domains, threat actors are using all sorts of DNS tricks to entice people to engage with malicious sites or to mask malicious traffic in the noise of normal traffic. So how do you sort through the noise to find abnormal top-level domains (TLDs)?
Custom DPA-Powered Network Monitor Dashboards
You can solve this problem using two powerful features of Network Monitor (NetMon)—deep packet analytics (DPA) and rich custom dashboards. First, we’ll create a DPA rule to parse out custom metadata (the TLD). Then we’ll make a dashboard that consumes this custom metadata to provide a hunting dashboard to elevate abnormal trends in TLD usage.
Using NetMon, create a deep script that extracts the TLD information from HTTP and HTTPs traffic. The TLD information is added to the Elasticsearch metadata as a custom field TopLevelDomain_NM.
NetMon’s Kibana cache of metadata fields has be refreshed to enable the new custom fields in dashboards.
Go to https://
Click the [network]_]UUUU_MM_DD link and you will get to the Kibana settings page for the network data index.
Here, you can see all the metadata that is accessible. The only thing you really want to touch on this settings page is the refresh button. Because the Flow_TopLevelDomian.lua script is already running, the TopLevelDomain_NM field can be seen way down in the list.
When Kibana has access to the new metadata field, you can also utilize it in your dashboards. With a couple of donut charts, histograms and a table search, the dashboard will showcase the top and bottom 10 TLDs on your network.
Create the top 10 TLDs in a donut chart:
Then, add applications for each TLD to display the top five applications per TLD. The applications will be displayed in an outer ring:
To create the final dashboard, you can add the bottom 10 TLDs and a table search:
Please note: The above instructions are intended for those of you who are using NetMon v. 3.1. If you have already upgraded to NetMon 3.2, the process will be simpler, as you will not need to go through the “Refresh Kibana” step, as the custom metadata fields will automatically show up as long as your DPA rule generates metadata.
Here you’ll find the draft of the lua rule in import-ready format. You can import it through Configuration –> Engine –> Deep Packet Analytics. Do not forget to enable the rule after importing it.
Here you’ll find an almost identical TLD dashboard with visualizations. You can import it through Analyze –> Dashboard Settings –> Import. You’ll see an alert about the missing TopLevelDomain_NM metadata field. After importing and running the rule, you can enable the dashboard by refreshing Kibana as described above.
Finally, you can load the TLD draft dashboard through Analyze –> Dashboards –> “load symbol”
Try NetMon Freemium
If you aren’t a NetMon user yet, you can still give this use case a try. Install NetMon Freemium to get started.
Try NetMon Freemium.