DNS Log Analysis for Network Security in SureLog SIEM

DNS has an important role in how end users in your enterprise connect to the internet. Each connection made to a domain by the client devices is recorded in the DNS logs. Inspecting DNS traffic between client devices and your local recursive resolver could reveal a wealth of information for forensic analysis.

DNS queries can reveal:

• Botnets/Malware connecting to C&C servers
• What websites visited by an employee
• Which malicious and DGA domains were accessed
• Which dynamic domains (DynDNS) accessed
• DDOS attack detection like NXDomain, phantom domain. random subdomain

DNS has less attention and most organizations focus resources on analyzing web or email traffic where they believe attacks often take place. In reality, diligent endpoint monitoring is required to find and prevent DNS tunneling.

Furthermore, tunneling toolkits have become an industry and are wildly available on the Internet, so hackers don’t really need technical sophistication to implement DNS tunneling attacks.

Common Abuse Cases

· Malware command and control (C&C) — Malware can use DNS Tunneling to receive commands from its control servers, and upload data to the internet without opening a single TCP/UDP connection to an external server. Tools like Dnscat2 are made specifically used for C&C purposes.

· Create a “firewall bypassing” tunnel — DNS Tunneling allows an attacker to place himself into the internal network by creating a complete tunnel.

· Bypass captive portals for paid Wi-Fi — A lot of captive portal systems allow all DNS traffic out, so it’s possible to tunnel IP traffic without paying a fee.

How It Works

1. The attacker acquires a domain, for example, evilsite.com.

2. The attacker configures the domain’s name servers to his own DNS server.

3. The attacker delegates a subdomain, such as “tun.evilsite.com” and configures his machine as the subdomain’s authoritative DNS server.

4. Any DNS request made by the victim to “{data}.tun.evilsite.com” will end up reaching the attacker’s machine.

5. The attacker’s machine encodes a response that will get routed back to the victim’s machine.

6. A bidirectional data transfer channel is achieved using a DNS tunneling tool.

Identifying the threats using SureLog

If we look at this from a purely detection standpoint, there are a couple of things that could be done with the logs. The first is comparing the domain and IP it resolves to against a blacklist. These blacklists are commonly built from intelligence sources that call out the Indicators of Compromise (IOC). The second is rule based correlation. The Third is DGA detection.

While parsing each DNS log, we verify each domain accessed against:

• Malicious domain database (updated on regular basis)
• Rule Based Correlation

o Newly Observed Domains : domains your corp has never visited before, always useful. Many corps run a default block list on these for 1–14 days or so.

o Newly Registered Domains with Alexa ranking:

• Entropy Calculation
• Domain Generation Algorithm (DGA) [1].

Threat Intelligence

SureLog utilizeses TI feeds to detect DGA domians. But attackers register DGA domains for short periods. This just-in-time registration makes it difficult for security applications and reputation systems to blacklist the domain.

Correlation Rules

SureLog has built-in rules like it domain is not in Alexa 1 million and created within last 24 hours, notify

Entropy Calculation

The basic principle behind this form of DGA detection is to calculate an entropy value for each domain seen and store this value in an ESA window. We can then use the values in the ESA window to calculate an average entropy for the domains seen within an environment, this subsequently allows an alert to be generated if any domains exceed the average entropy by 1.3x

Use this score in conjunction with DGAScore.

DGA Detection

Analysis needs to be performed on the domains extracted from DNS messages to determine whether they are DGAs. This is perhaps the most complicated step. The challenge is to reduce both false positives as well as false negatives. [1]

SureLog use a heuristics-based detection mechanism to identify the following:

• Bots employing DGA technique.
• The IP address of the C&C server of the DGA botnet.
• Hosts attempting to communicate with the C&C server domain.

SureLog adds extra information for the queries to show if it’s a normal looking query name or DGA query name. If DGAScore<4, it means that the query looks like DGA, indicating a suspicious behavior (example: asjdhajkhda.xyz.com). If deviceCustomNuber1>4 it means that the query looks like a normal(example: www.google.com).

References

1. https://surelogsiem.com/2019/10/05/domain-generation-algorithm-dga-detection-in-surelog/