Threat Hunting via DNS | SANS@MIC Talk
Вставка
- Опубліковано 9 лип 2024
- DNS logs are one of the most powerful threat hunting resources, but encryption is rapidly changing that equation.
Key DNS threat hunting techniques include detecting DNS tunneling and Domain Generation Algorithms (DGAs). It used to be simple(r): log DNS requests and responses on DNS forwarders, or sniff and analyze via tools like Zeek.
DNS over TLS (DoT) and DNS over HTTPS (DoH) are disrupting the status quo: where does that leave network defenders? This talk will analyze the current state of DNS monitoring, and provide actionable steps for detecting malice on your network via DNS.
Speaker Bio:
Certified SANS instructor Eric Conrad's career began in 1991 as a Unix sysadmin for a small oceanographic communications company. He gained experience in a variety of industries, including research, education, power, Internet, and healthcare, and has worked with companies such as Mitsubishi Electric Research Labs, Boston University, The Open Group, Navipath, and Caritas Christi Health Care. He is now an independent information security consultant focusing on intrusion detection, incident handling, and penetration testing. He is a graduate of the SANS Technology Institute with a Master of Science degree in information security engineering. In addition to the CISSP, he holds the prestigious GIAC Security Expert (GSE) certification as well as the GIAC GPEN, GCIH, GCIA, GCFA, GAWN, and GSEC certifications. He is a contributing author to SANS HIPAA Security Implementation. Eric also blogs about information security at www.ericconrad.com.
About SANS:
SANS is the most trusted and by far the largest source for information security training and security certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system - the Internet Storm Center. - Наука та технологія
Also just wanna thank Eric; yourself, John Strand and Chris Benton are imo the best teachers out there 🙏🏻
Something that I noticed is that DNS recon can be fairly easy to spot and I don't think any of the encryption methods would hide it, if you own the authoritative nameservers and can log from them. I used Elasticsearch' packetbeat on the nameserver, thereby avoiding the DNS servers logging limitations.
awesome!
Sorry if this is moronic - but can companies not just institutionalize a policy where all internal network dns is do53, and then only translates to doh at the egress? And vice-versa? I know there is obvs something preventing this, can someone smarter than me please help me out?
🙂 cool
Really enjoyed this and learned a ton. Subscribed and thanks for sharing this knowledge.
i dont mean to be so offtopic but does any of you know a method to log back into an Instagram account..?
I stupidly lost the login password. I would love any assistance you can offer me.
@Kyree Forest Instablaster ;)
@Gannon Jedidiah thanks for your reply. I got to the site on google and Im trying it out now.
Seems to take a while so I will reply here later with my results.
@Gannon Jedidiah it worked and I finally got access to my account again. I'm so happy:D
Thank you so much you saved my ass :D
@Kyree Forest Happy to help xD
Is it possible to point to the slides directly in the details area above?
www.ericconrad.com/2020/03/threat-hunting-via-dns.html
@@ericconrad5783 Thank you, Eric. But unless I'm missing something, these are the links WITHIN the presentation, not the slides themselves.
@@jum5238 Click on the "Threat Hunting via DNS" hyperlink to see the slides