Stronger Security: Using Passive DNS Data to Look Beyond Black and White

Given the complexity of the internet, it’s remarkable how many security solutions address threats as if the world is black and white. The rigid approach works in some cases, but it has not stopped the endless flow of attacks and breaches, nor has it provided an efficient way to uncover malicious activity or provide insight into potential future compromise. Especially for large internet businesses, the rapidly changing nature of new threats means your Data Analytics, Cyber Intelligence, Network Security and Fraud Prevention teams need new ways to:

  • Uncover domains associated with unusual or malicious behavior
  • Identify and block risky domains and IP addresses
  • Expose relationships between domain names and IP addresses
  • Provide context to newly observed attacks and attackers
 

New Data Enables Flexible Security and Fraud Analytics

There are many examples of security tools offering rigid expectations. Whitelists and blacklists pass or block execution of software (even though hackers use stolen credentials to traverse networks with impunity). Next generation firewalls keep bad traffic out (even though bad stuff keeps getting in). Data loss prevention tools stop leakage of sensitive data (while PII, CHD, PHI, and every other kind of secret information somehow escape into the wild). Vulnerability scanners will keep you apprised of danger (even though scanners pump out so many “alerts” that security pros are numbed by the flood of data).

At Neustar, we recommend a less rigid approach evolving security and fraud prevention challenges. To block new threats, you must be able to do useful, programmatic analysis that exposes big threats before they do damage. And that means you need a whole lot of new data.

Passive DNS Data Provides Powerful Security Insights

Neustar is known for its unique expertise in the domain naming system (DNS) that runs the internet, and currently routes over 10% of the world’s internet traffic. Now, there’s a new and different angle on DNS to consider: getting predictive insights from where data is going. We call this passive DNS analysis because it leverages the “data exhaust” from normal internet usage without exposing any Personally Identifiable Information (PII). Neustar tracks DNS data exhaust by following the connections between domains, IPs and queries. This is what lets you see what is really happening online. It’s based on real internet traffic and doesn’t rely on probes or agents. Passive DNS is your path to intelligence, insight, and true visibility into malicious internet traffic.

Neustar IP Reputation and IP GeoPoint Data Together with Passive DNS – a Powerful New Combination

Neustar’s IP Reputation and IP GeoPoint datasets make it easier to spot potential fraud by identifying the location and scoring the risk associated with an IP address. While IP GeoPoint tells you where the IP is located and how it is connecting to the Internet, IP Reputation can tell you if the IP is being used by an actual human being or is non-human (bot or server) traffic, and if it has been associated with malicious activity in the past. By conducting domain lookups in Neustar’s Passive DNS data and identifying the corresponding IP addresses in the IP GeoPoint and IP Reputation datasets, you have the insight into both the domain and the risk and reputation of the IP addresses associated with that domain. With this insight you can take steps to block traffic from domains and IPs that exhibit unacceptable risk to your business.

 

Cybersecurity/Threat Intelligence Research: Identify Domains and IPs Associated with Malicious Behavior

Security research teams can benefit from integrating passive DNS data into their models. Large, complex internet businesses typically use a proprietary analytics engine to conduct research for security, fraud, marketing and other business drivers. By starting with a “known bad” domain, passive DNS allows a security analytics team to dive deep into DNS operational data and identify other domains associated with the bad actor. Security professionals, for example, benefit by factoring location data. A business in Los Angeles should not have its servers in Kazakhstan (so maybe servers were hijacked). Likewise, no business would have its website moving every five minutes from one cable modem to another (so perhaps this is masking a botnet). This visibility allows you to get ahead of what they are doing, and know when a domain may be malicious before you have other factors to identify it as such.

The flow diagram shows one way to use passive DNS for security research. With a variety of optional mechanisms, Neustar provides you with passive DNS data for ingestion into your proprietary risk analytics engine. In this example, your security analytics team follows the step flow for evaluating the data to definitively identify domain names associated with suspicious IP addresses.

 

Fraud Detection and Prevention: Identify Risky New Domains

Fraud Detection and Prevention teams are always trying to stay one step ahead of fraud rings and the fraudsters themselves. This is no easy task. Often, just as the fraud team identifies and blocks the fraudulent transaction, and tags the domain as “risky”, the fraudsters have moved their domain to a new host in order to evade detection.

Any legitimate domain sending email will have existed for a while. Even brand-new domains are generally “warmed-up” before sending lots of evmail. A new domain sending volumes of email, is a red flag for spam, phishing, spear phishing, or other malicious behavior.

By leveraging the domain to IP to domain mapping capabilities of Neustar’s Passive DNS data, fraud teams can identify as yet unused domains about to launch fraud campaigns, and proactively block or shut them down.

 

Incident Response/Forensics: Tracking Compromised Domains and IPs

Passive DNS data is useful for discovering new relationships between IP addresses and domain names when researching or triaging a new network Indicator of Compromise (IoC). It enables forensic analysts to expose relationships between domain names and IP addresses that would be very difficult, if not impossible, to determine otherwise.

When observing the DNS responses over time for a known Command and Control IP hostname, investigators can observe the different phases of an attacker’s campaign based on when the C2 IP addresses change from one region to another, or go from null-routed to operational IPs.

Download PDF