You are watching your DNS logs, right?
Facebook was, and as a result they were able to discover that they were suffering from a serious internal compromise. In the words of Facebook’s Chief Security Officer, Joe Sullivan: “The attack was discovered when a suspicious domain was detected in Facebook’s Domain Name Service request logs.“
So what is DNS and why is monitoring it an important part of keeping your organization secure?
Put simply, DNS is the system that takes friendly names like facebook.com and converts them into addresses that machines understand, like 173.252.110.27.
Watching the DNS requests being made by your systems allows you to identify network level indicators of compromise. In the case of Facebook, the domain that didn’t look right to the security team was corp-aapl.com. Facebook then worked with an unnamed third party to seize control of this domain and “sinkhole” it. This action allows the defensive team to pretend to be the botnet command and control system, in an attempt to see who connects. This tactic revealed that Apple, Twitter and Microsoft had been compromised by the same attacker.
This was some fine work on the part of Facebook, but what is the small company without a security team supposed to do?
Gunter Ollmann wrote a fantastic post called Persistent Threat Detection on a Budget that provides a high level view of how small shops can start using DNS logs to identify threats. His key points are as follows:
- Turn DNS logging on!
- Use blacklists to block obvious bad traffic
- Blacklist entire countries your organization shouldn’t be initiating traffic to
- Scrape your DNS logs at least once a week
- Log failed lookups (NX domain) as these help identify malware that uses generated domain algorithms
It may be difficult to convince your lean mean development team to take time off of knocking out stories in Pivotal to setup the necessary tech to log your DNS queries. To help them get back to coding, here are a few links to speed them on their way (updated 18 March 2013 @ 13:46 MDT with suggestions from Reddit):
- Bash script from SANS to detect anomalies in DNS logs
- SecurityOnion: LiveCD using Bro for DNS visibility
- PassiveDNS: small C based program to extract/cache DNS queries/answers from pcap
- RPZ: Bind based DNS firewall
Now if only somebody would create a software defined security service that would allow you to quickly and easily perform this type of analysis and mitigation across all of your cloud instances from the comfort of your web browser.
6 Responses to “You are watching your DNS logs, right?”
this implies you’re running your own DNS server(s) yes?
No. From a corporate office environment (like Facebook, or Gnip), all you need to see/log/examine the DNS queries and answers is a sniffer on a span port somewhere between your users and the Internet. There are a variety of open source and commercial solutions that can be used to provide this level of visibility. If you want to be able to block in addition to monitor, then you either need to run a DNS server, or a proxy/firewall in front of it that can blackhole bad actors.
It’s when you get out of the corporate environment / datacenter and into the cloud that your options get more limited.
You could also use Splunk + getwatchlist to do this: http://stratumsecurity.com/2012/07/03/splunk-security/
“Now if only somebody would create a software defined security service that would allow you to quickly and easily perform this type of analysis and mitigation across all of your cloud instances from the comfort of your web browser.”
I think that’s what we do at http://www.opendns.com/ — we don’t do it to protect cloud servers, but we do it for about 50 million end-users each day.
I posted an ISO and scripts that works with DNS BIND to get you started
Link?