COMMENTARY: The growing accessibility of artificial intelligence (AI) and other technological advancements have lowered barriers to entry for malicious campaigns, often carried out by spearphishing attacks from domains spoofing a legitimate organization. In this environment, it’s challenging enough to stay afloat, let alone advance—but by using five techniques proven out by some of the best in the business, MSSPs, practitioners, and leaders have the opportunity to not only protect their organizations but cause anguish to the adversaries who dared to threaten them.
No matter the role or responsibility, all five of these techniques can be used to protect an organization from security threats. Whether an MSSP looking to proactively protect their end customers against cyberattackers, threat hunters looking to identify and respond to a threat before it happens, or an incident responder looking to react to an existing threat, DNS-based Internet intelligence equips specific actions that make achieving these goals easier.
1. Domain Detection: Discover Trouble Before it’s Caused
Many security organizations prioritize DNS, but wait until potentially malicious domains are in their network before taking action. Discovering domains close to their creation date can help even the playing field and enable your security team to thwart a malicious actor’s plans before the threat is launched. Whether an organization is looking for brand protection, fraud prevention, or to protect their employees from any Internet based threats (phishing, malware, spam, business email compromise, etc.), all of these use cases can be tied to a domain that spoofs a legitimate organization. Detecting and taking action on M1cros0ft[.]com before it’s used to threaten a user looking to access Microsoft[.]com can protect an organization from several threats while minimizing any opportunity for human error.
2. Investigation: Tracking the Wolf to Find the Pack
The term “lone wolf” can be misleading; wolves often operate in packs, and following one can lead you towards the rest of the group. Domains used for malicious purposes, as well as the threat actors behind said domains, can be viewed in the same way. Rarely do adversaries both work alone and mount an attack with one domain. Using available information such as the registrant name, registrant email, or IP address from the domains you do see in one’s network can provide useful context that can help you view the infrastructure unseen. If a wolf represents a threat, then getting away from one wolf does not mean the danger passed; full protection comes from understanding the connections of malicious infrastructure. Discovering the pack all at once will help security teams go from putting out fires to addressing the root cause.
3. Enrichment: Scaling the Impact of Work Already Being Done
Sophisticated security teams understand that DNS is where security starts, as its position on the network enables threat discovery before any other security control. Even with this knowledge, context on what should be considered a threat or priority is essential. Domain and IP Enrichment can help take the patterns of malicious infrastructure that security teams already work hard at identifying and scale. Whether by establishing rules within an existing security framework or outlining consistent next steps following discoveries made in a SIEM, SOAR, TIP, or LLM, enrichment can help automate investigation workflows and provide in-depth insight into DNS data.
4. Passive DNS: Track your Adversary without Them Knowing
Passive DNS uses observed cache miss traffic to build a database detailing the relationships between domain names, IP addresses, and nameservers. Because all of this information is collected organically, these connections can be made without the knowledge of the adversary being investigated. Passive DNS captures how threats emerge and evolve to help security teams make sense of their DNS traffic and find information relevant to them and their organizations amidst a high volume of information.
5. Active Monitoring: Observe Behavioral Changes in Near-Real-Time
The Internet continues to change, as evident by the rapid growth in technology you’ve undoubtedly observed over these past few years. Security teams know that adversaries will work to quickly cover their tracks and destroy any evidence of their infrastructure after they’ve launched an attack, making it challenging to ensure investigations are still relevant. Placing monitors on domains, IPs, and registrant-related events can be an enormous help in identifying these changes in infrastructure as they occur.
Domain detection, investigation, enrichment, passive DNS, and active monitoring are essential to putting security professionals on offense and leaving threat actors fuming. Security organizations may be familiar with some of these techniques, such as using passive DNS and domain registration records to augment other sources of threat intelligence; the question is how they are used and what they are missing. DNS can be used to connect old and new domains, assess their nature, and stay ahead of threat actors. Armed with this information, SOC personnel can identify additional, previously unseen indicators of compromise and enable informed and timely investigations into potential cybercrime. Incorporating all of these techniques and DNS can help you improve your team’s efficacy and give more bad days to bad actors.
MSSP Perspectives columns are written by trusted members of the managed security services, value-added reseller and solution provider channels.
