Combating Attacker Agility
With the vast threat surface and endless potential entry points available to cybercriminals today, the agility of attacks is seeing a steady rise. After successfully exploiting internet infrastructure to conduct their attacks, these bad actors evade detection by jumping across domains, IP addresses, and name servers.
To significantly decrease detection and response time in cyber investigations, organizations need to constantly feel the pulse of the internet’s address book – the Domain Name System. A historical view of DNS data can not only illuminate how attackers ‘rolled’ through domains and IPs, but also help security teams detect new patterns of maliciousness and ascertain the breadth of targeted attacks.
Here, we will show how combining Farsight DNSDB’s passive DNS intelligence with Demisto’s security orchestration and automation capabilities lends users a rich, multi-faceted view of the global internet infrastructure and helps combat attacker agility.
Using Demisto and Farsight DNSDB, you can:
- Query DNSDB from the Demisto console to lookup rdata records.
- Query DNSDB from the Demisto console to lookup rrset records and check records for a given domain.
- Trigger playbooks for triage, enrichment, and resolution of incidents using DNSDB actions.
- Leverage 140+ Demisto product integrations to add further context to DNSDB data.
- Run 100s of commands interactively (including for DNSDB) via a ChatOps interface while collaborating with other analysts and Demisto AI.
USE CASE #1
Extracting domain context from incident response investigation data
During investigations, analysts need to check indicators for malice and coordinate across their security product suite before the attack reaches sensitive systems. This task becomes tougher when cybercriminals jump across dozens – sometimes hundreds – of domains and IPs to mask their presence and obfuscate the attack trail.
Farsight DNSDB, with more than 100 Billion DNS records going back to 2010, provides criminals’ online infrastructure history, allowing analysts to make connections between existing domain names and IP addresses as well as uncover new information to advance their investigation. Using Demisto playbooks, analysts can automate Farsight DNSDB queries against suspicious domains, subdomains, or IP addresses, so that they have a time-spanning history of DNS information for the attack indicators, including any domain name or IP changes. Demisto also uses hypersearch to give analysts critical context about the indicators associated with an incident. After viewing Farsight DNSDB data, analysts can quickly check for repeating patterns and cross-correlations at a glance in both the work plan and war room windows.
Enrichment playbooks automate a host of actions across products so that analysts have a wealth of information at their fingertips while starting incident investigation. Automating Farsight DNSDB lookups can save screen switching time, and orchestrating other product actions in the same window can help analysts look across security functions for richer and deeper incident context.
To learn more about Demisto’s integration with Farsight DNSDB, read this companion blog on the Farsight website.
USE CASE #2
Interactive DNS investigations for deeper, more rapid threat hunting
While standardized, repeatable playbooks can automate commonly performed tasks to ease analyst load, an attack investigation usually requires additional threat hunting tasks such as pivoting from one suspicious domain name to another to gather critical evidence, drawing relations between incidents, and finalizing resolution. Running these commands traps analysts in a screen-switching cycle during investigation and a documentation-chasing cycle after investigations end.
After running enrichment playbooks, analysts then can gain greater visibility and new actionable information about the attack by running Farsight DNSDB commands in the Demisto War Room. For example, if playbook results threw up the fact that a bad C&C server changed domain names multiple times over a period of 3 months, analysts can run commands to retrieve all those names and check for other contact points with those domain names in the environment. The War Room will document all analyst actions and suggest the most effective analysts and command-sets with time.
The War Room allows analysts to quickly pivot and run unique commands relevant to incidents in their network from a common window. All participating analysts will have full task-level visibility of the process followed, be able to run and document commands from the same window, and eschew the need for collating information from multiple sources for documentation.
With Demisto’s 140+ technology partner base, these use cases just scratch the surface of potential actions analysts can orchestrate using Farsight DNSDB as one of the components.
If you're new to Demisto and interested in exploring this integration among others, we invite you to sign up for the Demisto Community Edition below.
If you're already a Demisto customer and interested in exploring the Farsight DNSDB integration further, we invite you to sign up for the Farsight DNSDB trial edition here.