Last day to get an iPad Air w/ Smart Keyboard or Pixel 4a Smartphone with 5-6 day course registration! View details.


To attend this webcast, login to your SANS Account or create your Account.

They Can Run, But They Can't Hide: Real-Time Threat Hunting Using Passive DNS

  • Tuesday, October 18, 2016 at 11:00 AM EDT (2016-10-18 15:00:00 UTC)
  • Dr. Paul Vixie, Dave Shackleford


  • FarSight Security

You can now attend the webcast using your mobile device!



Today's hunt teams rely on diverse threat indicators, including virus signatures, IP addresses and domain names flagged as hostile, and malware hashes in order to detect malicious activity and protect their organizations. Yet stealth attackers often can use agility and other strategies to try to mask that activity -- often allowing them to "hide in "plain sight." How can you know if your network is *actually* secure? Passive DNS, with its real-time view of the changing Global DNS, enables hunt teams to enrich existing IOCs to uncover previously undetected malicious IPs and domain names used by "bad" actors to gain entry and move laterally through a network. In this presentation, SANS Senior Instructor Dave Shackleford will provide an overview of the current threat landscape. Farsight Security CEO Dr. Paul Vixie will provide an introduction to Passive DNS. Because almost all activity on the Internet begins with DNS, Dr Vixie will demonstrate how hunt teams can use passive DNS techniques to tilt the playing field in the good guys' favor.

Speaker Bios

Dave Shackleford

Dave Shackleford, a SANS analyst, senior instructor, course author, GIAC technical director and member of the board of directors for the SANS Technology Institute, is the founder and principal consultant with Voodoo Security. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering. A VMware vExpert, Dave has extensive experience designing and configuring secure virtualized infrastructures. He previously worked as chief security officer for Configuresoft and CTO for the Center for Internet Security. Dave currently helps lead the Atlanta chapter of the Cloud Security Alliance.

Dr. Paul Vixie

Dr. Paul Vixie is the Chairman, CEO and Cofounder of Farsight Security, Inc. In 2014, Dr. Vixie was inducted into the Internet Hall of Fame for work related to DNS. Prior to cofounding Farsight Security, Dr. Vixie previously served as President, Chairman and Founder of Internet Systems Consortium (ISC), as President of MAPS, PAIX and MIBH, as CTO of Abovenet/MFN, and on the board of several for-profit and non-profit companies. He served on the ARIN Board of Trustees from 2005 to 2013, and as Chairman in 2008 and 2009. Dr. Vixie is a founding member of ICANN Root Server System Advisory Committee (RSSAC) and ICANN Security and Stability Advisory Committee (SSAC). Dr. Vixie has been contributing to Internet protocols and UNIX systems as a protocol designer and software architect since 1980. He is considered the primary author and technical architect of BIND 8, and he hired many of the people who wrote BIND 9 and the people now working on BIND 10. He has authored or co-authored a dozen or so RFCs, mostly on DNS and related topics, and of Sendmail: Theory and Practice (Digital Press, 1994). He earned his Ph.D. from Keio University for work related to the Internet Domain Name System (DNS and DNSSEC).

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.