Pengchao Li Slides
Pengchao Li Slides
Pengchao Li Slides
DNS
I Brief Introduction
Contents
III Attack Hunting with DNS
IV About Eversec
Attack(Threat) Hunting
Concept
✓ Attack hunting (Threat) means to pro-actively search for malware or attackers that are lurking in your
network — and may have been there for some time. They could be quietly siphoning off data, patiently
listening in for confidential information, or working their way through the network looking for credentials
powerful enough to steal key information.
Key Point:
✓ Basic security hygiene and properly implemented AV, firewalls, NDR and other automated security tools
should stop the majority of threats from getting in. But once an attacker has sneaked into your network
undetected, there’s often not much to stop them from staying there.
For Security
✓ Easy for DNS Channel Inspection ✓ Analyzing the content on the wire
✓ Easy for DNS logs extraction requires TLS interception
✓ Prevent from behavior reconnaissance
✓ Mitigate DNS spoofing
DNS Cyber Threat Intelligence(CTI)
◼ DNS CTI could be defined as ‘all the Threat information that comes from the DNS system and the interactions
of its users’.
◼ DNS serves as early warning and detection solution for phishing, spam, malicious and suspicious
behaviors, and other attacks. DNS intelligence is considered the only source of “ground truth” information for
the Internet.
Darknet
Messages sent to non-public and hidden network addresses.
Spam-Select
Select fields from emails sent to global honeypot spamtraps
Phishing URL’s
PhishLabs data for malicious sites involved in phishing campaigns
Processed DNS Data
Raw DNS data that has been de-duplicated, filtered and verified
Newly Active Domains
Domains that were active and went dormant for at least 10 days before the
next observation
Newly Observed Domains
Base Domains considered ‘New’ when compared to historical database
DNS Changes
Domains and IP addresses that have changed compared to historical database
DNS CTI examples
•Associated IPs: In a similar manner, you can detect related IPs on the same network by
looking into DNS information
•Forward DNS records: All present DNS records on the current website
•DNS historical records: Historical DNS records from days, months or years ago
•Subdomain mapping: By accessing all current DNS records, you can also perform
subdomain enumeration for current and past subdomains over a period of time
•Reverse DNS records: Current rDNS records obtained by performing a reverse DNS lookup
•Registrar name servers: Current NS records at the domain registrar
•Glue record history: DNS records created at the domain registrar
•Historical registrar name servers: Past information about NS used on the registrar, going
back by years
•DNS software identification: Software information for the DNS server you’re running,
including name and current version
•Associated domain names: DNS intelligence also provides the ability to detect associated
domains hosted on the same networks as the main apex domain
DNS as Data source of Attack Hunting
DNS query logging is effective to detect hostname lookups for knowing malicious domain.
DNS logs
How to get DNS
logging?
DNS cache is a
good short-term NG FW IDS Web Proxy
Switch UEBA
investigative tool
for Attack Hunting.
DNS logs are one
of the most End End CTI
User User Database
actionable DPI DPI
SOC/SIEM data
source
Contents
I Brief Introduction
Contents
III Attack Hunting with DNS
IV About Eversec
Subdomain Enumeration
Subdomain enumeration is the process of finding sub- Subdomain enumeration is the beginning of most DNS attacks. It mainly uses
domains for one or more domain(s). It is an essential violent enumeration of sub-domain information for DNS query.
part of the reconnaissance phase. There are two types The attacker sends a large number of domain name requests to the DNS
called active subdomain enumeration and Passive server within a unit time. One of the characteristics of such domain name
subdomain enumeration. requests It is because the subdomain name is different but the main domain
name is the same.
The attacker traverses the subdomain name to blast the subdomain name,
which can facilitate in-depth attacks in the later stage.
https://github.com/boy-hack/ksubdomain
VirusTotal runs its own passive DNS replication service,
built by storing DNS resolutions performed when visiting
URLs submitted by users. In order to retrieve the
information of a domain you just have to put domain
name in the search bar.
Botnet with DGA Domain name
DGA is a specific algorithm used in malware to generate
domain names in batches. The domain name or IP of the C&C
• Attackers can obtain same DGA domain name which may server in a botnet is static. If it is
lead to coalition. blocked by security personnel, the
problem of node failure will easily Domain Flux Protocol is proposed , of
• Large amount of Generated domain names occur, which will lead to the paralysis which algorithm is DGA, while C&C
• Seeds varies from a wide range. of the entire botnet, which is called domain name is generated by certain
• Complex generation methods "central node failure". algorithm. Mid-nodes between attackers
and compromised hosts are changing,
which could evade C&C detections .
DGA seed:Seed refers to an input of the attacker in
DGA, in order to control the process and result of DGA.
DGA Methods
other end.
Server based Covert Channel:An attacker runs a UDP-based service (such as
OpenVPN) on port 53 and establishes a connection directly from the client, or uses
UDP tunneling software to inject data into the spare space at the end of an existing
DNS message, making the UDP partial payload a covert channel data.
DNS Hijacking
DNS Spoofing is a DNS attack that changes DNS records returned to a querier;
Contents
I Background
Contents
III Attack Hunting with DNS
IV About Eversec
Attack Detection with DNS at any Stage
Known
Command& Actions on
reconnaissance Weaponization Deliver Exploitation Installation
Control objective
Vulnerability Bots,
Vulnerability Document Hacker Tool Webshell
Attack Trojan,
CTI
Feature
Scanning Download
Mapping Worm Beacon
Password signal
Website Exploitation
Trojan
AI UEBA Specially
designed C&C CTI
Harvest asset Trojan Abnormal
Malicious Network
information Web Attack Malicious Script
Email flow
like domain
Threats Ransomware
name Covert Channel
Unknown
Entity Profiling with DNS Intelligence in Confrontation
Confrontation
Organization
Hobbies Health Status Location Who is
Intelligence Confrontation Asymmetric CTI Utilization
IOC/TTP CIT CTI CTI
Attack Scripting
Threat
Relationship Hunting Detection
Analysis and
Detection Big Data
Modelling
Machine Learning
Sandbox
Detection
Phishing
Darknet
URL
Processed
Spam-Select CTI
DNS Data
NG FW IDS NDR Web Proxy
Newly Active DNS
Domains Changes
DNS Subdomain Enumeration Detection
DNS Subdomain Enumeration detection model
is proposed based on DNS CDR logs for DNS DNS Logging
DNS Server
www.test.com
Feature Extraction: DNS Request domain name Connection rules database Logistic regression Linear regression
signature database
data packet characteristics,
message features, domain
name request behavior, and
connection statics. DNS traffic analysis UDP payloads analysis Tunnel Software recognition
DNS traffic
DNS Hijacking Hunting with CTI
Solution—Hijacking Resource Intelligence Extraction and its Application
Build DNS CTI DB– 3 steps to build a ultimate DNS Leverage machine learning – It takes automation to
Hijacking CTI DB. We should confirm the accuracy beat automated attacks. We need to take
of Hijacked DNS labeling. measures to analyze, detect and even predict DNS
Hijacking related behavior before they happen.
I Background
Contents
III Attack Hunting with DNS
IV About Eversec
EVERSEC TECHNOLOGY CO .,LTD- An Overview
Botnet detection
Botnet distribution
Malicious domain name detection
Phishing website , DGA domain name
Intrusion detection
Webshell , Intrusion tampering ,
Malicious traffic detection Dark chain
Association analysis
APT detection
New generation APT traffic comprehensive
Traceability analysis detection based on IOC+TTP, introducing
threat intelligence association mining and
Intelligence clue
prediction technology, and in-depth
expansion ,Traceability of
analysis of session oriented TTP model
attack chain
Knowledge Application and Insight Analysis Based on
Knowledge Graph Technology
knowledge knowledge Business industry
Data
Project graph Database map Application
Objective Domain Business Capacity
Data Knowledge Scenario Output
Graph Algorithm +
......
Map
Construction
Knowledge insight: insight into data and the outline of things; Insight into information and logic behind it;
Insight into knowledge and draw a network map.