Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

DNS Monitoring: Connecting the Dots for Better Internet Security

Defenders Need to Gain a Clearer Picture of What’s Happening on Their DNS Infrastructures and IP Networks

Defenders Need to Gain a Clearer Picture of What’s Happening on Their DNS Infrastructures and IP Networks

In my previous column I wrote about how profit-driven attackers are hijacking legitimate online resources to launch campaigns. One way in which they do this is by using the Domain Name Service (DNS) to connect to sites that are known bad or suspicious and incorporate them into their campaigns. They use DNS in one of three ways: to gain command and control, to exfiltrate data, or to redirect traffic. Since few companies monitor DNS for security purposes, DNS has become an ideal avenue for attackers.

Enforcing security at the DNS layer is essential for identifying and containing malware infections that use DNS to execute their mission. Preventing threats before a connection ever happens is the first order of business. And this capability must travel off the network, following employees and their devices wherever they are and however they connect to the Internet. Technology that tracks malicious IP addresses and blocks connections to malicious infrastructure can thwart attackers aiming to capitalize on this common security blind spot. The more dangerous connections we block, the fewer threats we have to deal with inside the network.

DNS Threat IntelligenceBut when an attack is successful, DNS monitoring can also help connect the dots, furthering investigations by determining the type and source of infrastructure supporting the attack. In the case of the Angler exploit kit, such technology helped to provide greater visibility into the IP infrastructure in use. Angler operators were essentially moving from one IP address to the next in a linear fashion to conceal the threat activity and to prevent any interruption to their moneymaking. Analysis of the domain activity associated with the threat provided a deeper understanding of the techniques incorporated and how to stop them.

As attackers continue to innovate, for example bypassing the need to resolve a domain name by incorporating direct command and control connections, defenders are responding with their own innovations to more quickly identify attacks in progress.

The emergence of predictive IP-based threat intelligence is one such innovation. This involves applying algorithms to traffic patterns to hone in on malicious activity as opposed to scanning for content. This data science-based technique is akin to that used by music services like Pandora. But instead of using patterns of sound waves in music you listen to in order to identify other music you may like, it uses network traffic patterns to identify malicious attacks.

Some domains have consistent high-volume incoming traffic. Others might have sudden spikes in traffic at regular intervals or follow some other pattern entirely. But the traffic patterns for domains that are being used in attacks are much faster and shorter since they are only used for a brief period of time as a way to remain under the radar. Being able to detect transient patterns and cross-referencing those findings with other data helps detect and take action to stop attacks that are underway.

The ability to anticipate an attack takes this data analysis to the next level. Beginning with the clues found by analyzing traffic patterns, it uses all the other steps a cybercriminal goes through to hijack infrastructure – from choosing a hosting provider to deploying server images – to determine whether an attack is going to take place. This deeper and more extensive analysis of the hosting infrastructure allows you to predict and prevent emergent threats.

As cybercriminals use the Internet to launch attacks, we need to gain a clearer picture of what’s happening on DNS infrastructures and IP networks. This starts with security teams and DNS experts working together and in alignment with the right technology. Our ability to connect more and more dots to fine tune intelligence is essential to identifying and stopping attacks faster. Not only that, continuing to advance data science as adversaries continue to evolve their methods of attack will allow us to zero-in on more Internet-based attacks before they occur.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...