Taking a Cue from Queries
How DNS Intelligence Can Be Used To Illuminate Malicious Traffic
Passive DNS has long been used as a cybersecurity forensic analysis tool and sometimes leveraged for proactive threat intelligence based on trending of responses and tracking of specific IP addresses associated with shifting hostnames that could indicate malicious activity or command and control botnets for pushing application layer attacks and DDoS traffic.
Passive DNS or DNS intelligence plays an essential role in the cybersecurity forensic toolset and is part of many enterprises (not just security companies) arsenal for incident response.
What if you could use trending of historical DNS query volume for an organization as one means of uncovering malicious activity? Large deltas in expected DNS query volume, if tracked, could unveil both attempted application exploits and lower level, application-degrading DDoS attacks that might fly below the typical flow analysis radar.
Where are the higher-than-anticipated excess queries originating? Are these source regions typical of your historical traffic patterns?
What type of records and which exact resources are the targets of the elevated queries? Could this be indicative of reconnaissance or attempts to exploit or DDoS a resource?
Was any service or application degradation noted that could be correlated chronologically with the targeted excess queries?
A Web Application Firewall (WAF) that could effectively front all of an organization’s resources whether customer datacenter-based or spread across multiple cloud providers (multi-cloud) could proactively defend against many of the underlying malicious exploit attempts from SQLi to CSRF to XSS to buffer overflow, etc. Attempts to degrade the availability of a specific load balancer, web server, API, database, application, etc. located in a customer datacenter or across multiple cloud providers could be mitigated using a cloud-based DDoS mitigation service.
Do you know what’s going on in your network? Could something as simple as tracking DNS query volumes help?