Domain Name System (DNS) is woven into the fabric of both the internet and corporate intranets. It works so well that you might even forget it exists — until it is used against you.
Hackers haven’t forgotten or ignored DNS. In fact, it’s becoming an increasingly abused protocol to find command and control (C2) servers, control compromised systems, and exfiltrate your data. Threat actors are increasingly leveraging and exploiting DNS, hiding their communications right under our noses.
In this on-demand webinar, LogRhythm’s Rob McGovern, senior technical product manager, network monitoring, and Erika Noerenberg, senior malware analyst, join Windows Security Expert Randy Franklin Smith to show you how to spot threatening DNS activity using LogRhythm NetMon Freemium.
You’ll learn about the use of malicious DNS, the importance of DNS network monitoring, and how to detect:
- Domain-generation-algorithm (DGA) queries
- C2 data tunneled through DNS
Data exfiltration via tunneled DNS
There are two main ways hackers abuse DNS. The first method is to use the existing DNS protocol as it is intended, but generate malicious domain names to overtake C2 servers. The second way to abuse DNS is to emulate a DNS server through a C2 server.
What exactly should you look for in DNS traffic to spot an intrusion? In the webinar, the team explores several examples, including how request frequency, request source, domain analysis, TXT record content, and long sessions can all be indicators of compromise. Attackers are also known to obfuscate data before sending it through malicious DNS packets. Samples of what this looks like when decoded are covered further in the webinar.
Finally, webinar participants talk about intrusion detection and explain the value to the following correlation points:
- Inferring sessions on a session-less protocol
- Packet quantity
- Total bytes
- Comparing domain names to lists like Alexa’s Top 500 sites
- Least queried domain names
Watch the on-demand webcast now to learn how DNS network monitoring combats hackers from exploiting your network.