5 Examples of DNS IoCs That Are Red Flags for Cyberattacks – Source: heimdalsecurity.com

In the increasingly digitalized world that we live in, doing business without being connected 24/7 is almost unthinkable. Any medium to large organization needs to have an online way of displaying its products or services. It also needs a fast communication system with employees and customers. Finally, they need a better and more cost-effective way to store huge amounts of data than the old-fashioned physical archive room.

It`s safe to say that the Internet, at the moment, makes the world go around. However, from a threat actor`s perspective, the Internet is also a gateway to their victim`s system. One of the reasons is the Domain Name System (DNS). DNS, the phonebook of the Internet, was not built with a focus of potential security issues. So, by time, hackers found a variety of ways to conduct their attacks through it.

How Can Security Teams Use DNS IoCs

DNS monitoring and DNS filtering are critical tools that security teams use to safeguard their companies` assets.

DNS Indicators of Compromise (IoCs) are the alarm triggers in case a system is targeted through the DNS. They point to an attacker attempting to breach the system or to intruders that are already in.

Either way, DNS IoCs are valuable forensic data that give away malicious activities. There are three main ways DNS IoCs bring value to the threat hunting process:

• Early Threat Detection

DNS IoCs help detect malicious activities at an early stage. Monitoring DNS traffic for known malicious indicators helps discover potential threats before they escalate into more significant breaches.

• Contextual Insight

DNS IoCs provide valuable data about the nature of the threat. They can reveal the infrastructure used by threat actors, for example. Thus, the security professionals understand the tactics, techniques, and procedures (TTPs) the hackers used.

• Integration with Security Tools

DNS IoCs can integrate into other security tools, such as SIEM (Security Information and Event Management) systems and IDS/IPS (Intrusion Detection System/Intrusion Prevention System). This automates the detection and response to threats processes, saving time and resources for the security team.

5 DNS IoCs That Point to a Cyberattack

Security teams use DNS IoCs to detect potential malicious activities on networks and devices. They review IoCs in order to discover potential data breaches, malware, trojans, etc.

If the attack succeeded, checking the DNS IoCs may still help security admins to efficiently limit damage.

Also, cyber threat hunting is heavily based on identifying unusual DNS requests, which are an important indicator of compromise. Here are some DNS anomaly examples, that are clearly red flags for threat hunters:

Suspicious DNS Query Failures

When malware infiltrates a network, it signals its presence to a control server. To convey instructions to the malware, such as an encryption key in the case of ransomware, threat actors often resort to domain names. They frequently employ Domain Generation Algorithms (DGAs) to generate a multitude of random domain names, thereby eluding detection. Furthermore, in their quest to pilfer data, the malware seeks to establish communication with a Command and Control (C&C) server and exfiltrate the data.

Unrecognized Domain Name Requests

Domains that overlook logical naming conventions and are unlikely choices for legitimate website owners can offer valuable insights. For example, “kdshfguidsfhui.gogle.com” or “fhr12.sdg12.fdr.com” are atypical domain names. Therefore, accurate traffic monitoring can establish a baseline for normal traffic patterns and facilitate the identification of malicious connections.

Off-the-Schedule DNS Queries

Instances wherein employees need to initiate DNS requests outside of regular working hours are scarce. Therefore, an upsurge in DNS request activity during non-business hours should raise suspicions. That might be signaling a security breach that`s about to happen.

Unexpected DNS Queries Volume

An abnormally high volume of DNS traffic attributed to a single IP address or domain merits close scrutiny. This surge in activity could signify malware beaconing, as it attempts to establish connections with command-and-control servers.

Denied Outbound Traffic

Denied outbound traffic can serve as an ominous threat indicator. Even after infiltrating a network, malware often persists in its efforts to communicate with its designated command-and-control server. Firewalls typically block such unsanctioned connections, necessitating the diligent investigation of the source of this outbound traffic by security teams.

DNS Threat Hunting Techniques

Security professionals find DNS threats and prevent DNS-based attacks by using the following techniques:

• DNS Traffic Analysis – Monitoring DNS queries and response traffic reveals suspicious patterns or DNS anomalies I`ve mentioned above. By practicing DNS traffic analysis security teams can discover in time DNS hijacking, DNS cache poisoning, or other attacks.

• DNS Log Analysis – Analyzing DNS logs offers valuable insights into DNS-based attacks. Security teams rely on that to find the source of suspicious queries and discover malicious activities. This is the way they detect DNS tunneling attacks, for example.

• DNS Data Enrichment – This technique involves adding additional context to DNS queries and responses. The location of the requesting IP address, the reputation of the requested domain, or the presence of known malware associated with the requested domain are such valuable data.

• DNS Forensics – Analyzing DNS data after a security incident has already taken place is also a powerful DNS threat hunting technique. This leads to finding the root cause of the attack. DNS forensics involves not only checking DNS logs, but also analyzing DNS queries, response traffic, and investigating the affected systems and networks.

• Threat Intelligence Integration – Correlating threat intelligence (TI) feeds with DNS traffic data helps identify known malicious domains and IP addresses. They provide security teams fresh intelligence on the latest cyberattacks. Consequently, the team will constantly be aware of the latest zero-days, malware, botnets, and so on. However, it`s worth mentioning that using an automatic traffic filtering solution to detect malicious connections is both safer and more efficient.

Security Admins use one, two or all of these DNS threat-hunting techniques to detect and mitigate DNS-based attacks. Using them will protect your network and endpoints no matter the environment or the industry.

Threat Hunting the Smart Way with Heimdal®`s DNS Security Solution

DNS IoCs are a great ally in detecting and preventing all sorts of cyberattacks, including ransomware. However, collecting and going through all that amount of data generated daily by hundreds or thousands of devices is exhausting. Both time and human attention capacity are limited – and valuable – resources. They should not be wasted on processes you can automate.

Heimdal`s DNS Security – Endpoint and DNS Security – Network solutions solve both problems. Our filtering engine uses AI and machine-learning to detect malicious domains that were not yet spotted and prevent future threats. By filtering DNS, HTTP, and HTTPS traffic, the engine identifies and blocks malicious URLs and processes.

The tool enables security teams with comprehensive visibility and control over all endpoints and the network.

If your organization`s digital environment is of high complexity and presents a large attack surface I recommend using Threat hunting & Action Center (TAC). Heimdal`s revolutionary threat hunting platform displays various tools and features onto the same dashboard. This will make threat hunting a fast, easy and precise process that will bolster the organization`s security posture.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.