Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: OpenDNS Research Used to Predict Threat - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
OpenDNS Research Used to Predict Threat

Two researchers (Dhia Mahjoub & Thomas Mathew) have recently presented at BruCON on how they have been using DNS to detect patterns that are typical of exploit kits landing domains. Obviously most of us won't get the amount of DNS queries OpenDNS collects (over 70+ billions per day or 1/2 TB per hour)  but the principles they are showing in the presentation are very interesting called "Spike Rank" or SPRank that leverages DNS traffic below recursive resolvers instead of the well know Domain Reputation. "SPRank detects domains showing as a sudden surge — or a spike — in DNS queries issued from our 65 million worldwide clients towards our resolvers."[1]

Their results so far appear to be very promising because they have been able to detect malware campaigns such as Angler, RIG, and Nuclear exploit kits, in addition to DGAs, fake software, or phishing. Take some time watching their BruCON presentation on YouTube and their recently published post.

Do you mine your DNS data and how successful are you at finding malicious activity?

[1] https://labs.opendns.com/2015/11/19/sprank-and-ip-space-monitoring/
[2] https://www.youtube.com/watch?v=8edBgoHXnwg/

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Guy

414 Posts
ISC Handler
"Do you mine your DNS data"...How would one go about doing that exactly?
AAInfoSec

47 Posts Posts
This, perhaps?
http://pen-testing.sans.org/blog/pen-testing/2015/07/10/dns-anomaly-analysis-tips-did-you-put-a-new-cover-sheet-on-that-ddd-report
John

88 Posts Posts
Thanks, this is a great post, but unfortunately it's for a non-Windows DNS server.
AAInfoSec

47 Posts Posts

Sign Up for Free or Log In to start participating in the conversation!