Question: How can administrators use DNS telemetry to complement NetFlow data in detecting and stopping threats?
David Ratner, CEO, Hyas: For many years, DevSecOps teams relied heavily on flow data (the information collected by NetFlow and similar technology) to glean insight into events occurring within their networks. However, flow data’s usefulness has waned with the shift to the cloud and increased network complexity.
Monitoring network traffic is the new big data problem. You either sample a smaller amount of flow data or incur the high costs of receiving a more comprehensive set. But even with all of the data, detecting subtle anomalous incidents (perhaps involving just one or a handful of devices and relatively low-volume traffic) that indicate malicious activity is still like looking for a needle in a haystack.
Administrators and security teams can regain visibility into their own networks with DNS telemetry. It is is easier and cheaper to monitor than flow data and can identify unknown, anomalous, or malicious domains based on threat intelligence data. These services can alert DevSecOps administrators and provide information on exactly where to look to investigate the incident. If necessary, administrators can access the corresponding flow data to get additional actionable information about the event, identify if the event is innocuous or malicious, and stop nefarious activity in its tracks. DNS telemetry solves the big data problem by letting teams more quickly and efficiently zero in on the areas that need attention.
An easy way to visualize the problem is to imagine staking out all the payphones in a neighborhood to intercept calls related to criminal activity. Actively watching each payphone and monitoring the content of each call made from each payphone would be incredibly tedious. However, in this analogy, DNS monitoring would notify you that a certain payphone made a call, when it made it, and who it called. With this information, you can then query flow data to find out additional pertinent information, like if the person on the other end picked up the call and how long they spoke.
A real-world scenario might occur like this: Your DNS monitoring system notices multiple devices making calls to a domain flagged as anomalous and potentially malicious. Even though this particular domain has never been used before in an attack, it is unusual, anomalous, and requires additional and immediate investigation. This triggers an alert, prompting administrators to query flow data for those particular devices and the specific communication with that domain. With that data, you can quickly determine if malicious activity is actually happening and, if it is, you can block the communication, cutting the malware off from its C2 infrastructure and stopping the attack before major damage is done. On the other hand, there may have been some legitimate reason for anomalous traffic, and it isn’t actually nefarious — maybe the device is simply reaching out to a new server for updates. Either way, now you know for sure.