A critical part of proactive threat hunting is being on the lookout for attackers who might have already infiltrated the network. One such threat is malware-infected systems in the network.Once they are ready to exfiltrate data, the malware tries to contact the respective Command and Control (C&C) server. The system calls upon the DNS resolver—server that manages DNS requests, to locate the malicious domain's C&C server. Since every such attempt requires the DNS resolver to act, looking at DNS server logs can be of immense help to discover threat actors.
Indicators of compromise (IoCs) are pieces of forensic evidence that identifies malicious activity and helps detect the presence of potential threat actors in your network. Here are a few DNS IoCs that you should watch out for in your DNS server and traffic logs.
These IoCs have a very short lifespan, becoming obsolete in mere hours, and need to be acted upon quickly. Their discovery can be easily automated provided you have the right settings with the right solution.
ManageEngine's Log360 is a one stop solution that helps enterprises mitigate external and internal threats with alerting, data security, event correlation, threat intelligence and more. It has a built-in STIX/TAXII feeds processor and a global IP threat database that can instantly detect known malicious traffic passing through the network as well as outbound connections to malicious domains and callback servers. The advanced threat analytics add-on gives deeper insights into the threats. Click here to explore more features.
Zoho Corporation Pvt. Ltd. All rights reserved.