They Can Run, But They Can\\'t Hide: Real-Time Threat Hunting Using Passive DNS

  • Tuesday, 18 Oct 2016 11:00AM EDT (18 Oct 2016 15:00 UTC)
  • Speakers: Dave Shackleford, Dr. Paul Vixie

Today's hunt teams rely on diverse threat indicators, including virus signatures, IP addresses and domain names flagged as hostile, and malware hashes in order to detect malicious activity and protect their organizations. Yet stealth attackers often can use agility and other strategies to try to mask that activity -- often allowing them to \hide in "plain sight." How can you know if your network is *actually* secure? Passive DNS, with its real-time view of the changing Global DNS, enables hunt teams to enrich existing IOCs to uncover previously undetected malicious IPs and domain names used by "bad" actors to gain entry and move laterally through a network. In this presentation, SANS Senior Instructor Dave Shackleford will provide an overview of the current threat landscape. Farsight Security CEO Dr. Paul Vixie will provide an introduction to Passive DNS. Because almost all activity on the Internet begins with DNS, Dr Vixie will demonstrate how hunt teams can use passive DNS techniques to tilt the playing field in the good guys' favor.