Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

The Register

New Wireshark, Nmap releases bring pre-Xmas cheer to infosec types
The Register
Security types impatient for gifts under the Christmas tree may find that major upgrades to the popular Nmap and Wireshark infosec tools sate their appetite for new toys. Apple fans will have access to a much-improved Wireshark as version two of the ...

 

Two researchers (Dhia Mahjoub Thomas Mathew) have recently presented at BruCON on how they have been using DNS to detect patterns that are typical of exploit kits landing domains. Obviously most of us wont get the amount of DNS queries OpenDNS collects (over 70+ billions per day or 1/2 TB per hour) but the principles they are showing in the presentation are very interesting called Spike Rank or SPRank that leverages DNS traffic below recursive resolvers instead of the well know Domain Reputation. SPRank detects domains showing as a sudden surge or a spike in DNS queries issued from our 65 million worldwide clients towards our resolvers.[1]

Their results so far appear to be very promising because they have been able to detect malware campaigns such as Angler, RIG, and Nuclear exploit kits, in addition to DGAs, fake software, or phishing. Take some time watching their BruCON presentation on YouTube and their recently published post.

Do you mine your DNS data and how successful are you at finding malicious activity?

[1] https://labs.opendns.com/2015/11/19/sprank-and-ip-space-monitoring/
[2] https://www.youtube.com/watch?v=8edBgoHXnwg/

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status