DNS Data is a Gold Mine for Security Investigation
The Domain Name System (DNS) is a hierarchical decentralized naming system. The Domain Name System delegates the responsibility of assigning domain names and mapping those names to Internet resources by designating authoritative name servers for each domain.
DNS data is ubiquitous in the network because making a DNS query is usually the first step devices have to take to communicate with other devices.
DNS data contains lots of useful information when you use it for security investigation. For example, let’s say you’ve got the following query:
19-Feb-2018 14:56:38.085 client 10.120.21.0#51964: query: nnr368hzyabbea.badguy.com IN A + (10.196.106.11)
This query basically says, on 19-Feb-2018 at 14:56:38.085 the machine with IP address 10.120.21.0 asked a DNS server with IP address 10.196.106.11 what the IP address of nnr368hzyabbea.badguy.com is.
You can ask a few questions just by looking at the query:
- Is nnr368hzyabbea.badguy.com a normal domain or a malicious domain or an invalid domain?
- Is the machine with IP address 10.120.21.0 issuing queries to badguy.com with a different prefix, for example, akdg3f7abl.badguy.com?
- Are there other machines in your network issuing queries to nnr368hzyabbea.badguy.com, just badguy.com or with a different prefix, for example, akdg3f7abl.badguy.com?
If badguy.com is a known malicious domain hosting a command-and-control server, the query nnr368hzyabbea.badguy.com could indicate a secret handshake between a piece of malicious software on the machine 10.120.21.0 and the server badguy.com. If the machine with the IP address 10.120.21.0 issues more than one query (similar to nnr368hzyabbea.badguy.com) to badguy.com, it might indicate some sort of data exfiltration, for example, one (encrypted) credit card number at a time, between those two machines.
If you have other machines in your network also contacting badguy.com (possibly with a different prefix), you may have a botnet infection in your network trying to establish communication with the command-and-control server.
As you can see, a simple DNS query can tell you a lot about potential security issues in your network, if you know where to look. But how can you automate and scale the investigation process? The obvious answer would be using a SIEM with all the DNS data.
Challenges in Using your SIEM with DNS Data
You have at least the following challenges when you try to do security investigation with DNS data in your SIEM:
- You need to automate the process to load all the DNS data into your SIEM.
- You need to avoid exceeding your SIEM license limit to accommodate all the DNS data.
- You need to set up rules to generate alerts with the DNS data.
For the first challenge, it may sound trivial. Aren’t all SIEM solutions built to load the data from DNS solutions?
The answer is not exactly since existing methods bring significant side effects to DNS performance.
Most of the leading SIEM solutions do provide the ability to load data from DNS solutions. For example, ArcSight has a Smart Connector that loads syslog data from Infoblox, see SmartConnector for Infoblox NIOS Syslog (1)
So does Splunk, see Splunk add-on for Infoblox (2)
Each of these was set up to load events data, such as when there is a configuration change on the box, but not the raw DNS queries. Due to the enormous amount of DNS queries generated in an enterprise, when you send the raw DNS queries data via syslog to those SIEMs, it puts a huge performance burden on the DNS appliance to the extent that the DNS-protocol-serving functionality of those boxes performs below the level you’d desire.
For the second challenge, most SIEMs charge customers by volume of data ingested, usually in the unit of GBpD (Giga Byte per Day) or EpS (Events per Second). For example, a leading SIEM solution charges customers $1,500 /GBpD if you choose their perpetual license option. That means, for a typical 10,000 person organization that generates 3000 DNS queries per second, the data would maps to 78 GBpD or $117,000 in license cost. (At Infoblox, we usually estimate 3000 DNS queries per second for a 10,000 people organization, based on the data from our customers.) Usually, the DNS query volume increases when you have more people, so if your organization has more than 10,000 people, expect to pay your SIEM vendor more than that just for the license cost to ingest DNS query and response data into your SIEM.
Finally, for the third challenge, SIEMs are useful for security investigation because they can generate alerts based on rules, but these rules need to be established. What kind of rules should you have when you have DNS data in the system? A deep dive on this topic is beyond the scope of this blog but generally speaking, you could have a rule that correlates your DNS query target domains to a predefined malicious domain list which you may get from your threat intelligence provider. Or you could have another rule to count the number of queries to servers located in certain geographic regions and generate an alert when the count exceeds a certain threshold.
Use Infoblox Data Connector to Optimize Your SIEM Solution with DNS Data
Infoblox offers a software utility called Data Connector to address the first two challenges mentioned above. It uses SCP (Secure Copy) to securely transfer DNS query and response data in files, thus decreasing the performance overhead on DNS appliances caused by syslog. It also has a built-in filtering mechanism to avoid sending data on known benign domains to SIEMs to save customers unnecessary SIEM license cost. Customers can configure the content of the benign domain list. Bridging between a customer’s DNS network infrastructure and the SOC, Data Connector automates and streamlines the process to provide DNS data for security investigation. It currently supports Splunk and will soon support most of the leading SIEMs.
See the Infoblox Data Connector User Guide.
In addition, Infoblox offers a suite of security products including signature-based Advanced DNS Protection, advanced Threat Intelligence, and Threat Insight, as part of the ActiveTrust® and ActiveTrust® Cloud solutions. Together, these solutions monitor DNS traffic at different checkpoints and disrupt malware communications. For more information, please visit infoblox.com.
Philip Qian is a senior product manager managing Infoblox’s security solutions including Threat Insight and Data Connector. Prior to Infoblox, he worked at ArcSight as a product manager for the ArcSight SmartConnectors.