Another Log to Analyze - Utilizing DNS to Identify Malware

Explore techniques for identifying malware using DNS logs in this comprehensive conference talk. Delve into the relationship between malware and DNS, examining packet captures and defensive techniques. Learn about Domain Generation Algorithms (DGA) and their role in malware operations. Develop skills to establish DNS traffic baselines, analyze NXDOMAIN responses, and query for malicious domains. Discover methods for identifying anomalous domain names and utilizing tools like dnstop and Passive DNS. Gain insights into analyzing network traffic of suspect hosts, notifying the community, and considering attack attribution. Enhance your cybersecurity knowledge with practical approaches to detect and mitigate malware threats through DNS analysis.

Introduction
Malware High Level Overview
Very Generic Malware Description
Finding Malware using DNS logs
Malware and DNS
Packet Captures
Back to DNS - Defensive Techniques
DGA (Domain Generation Algorithm)
Malware and DGA
Identifying Malicious Traffic - Objectives
Establish DNS Traffic Baseline
Baseline NXDOMAIN responses - cont'd
Query for Malicious Domains
Analyze DNS Traffic
Identifying Anomalous Domain Names
Tools
dnstop
Passive DNS
Analyze Network Traffic of Suspect Hosts
Notify Community
Can we attribute an attack?
Be like Good Guy Greg
QUESTIONS?