Explore techniques for detecting malware in networks using DNS logs in this 29-minute conference talk. Learn about malware detection methods, focusing on DNS-based approaches. Understand how malware interacts with DNS, analyze packet captures, and discover defensive techniques. Dive into Domain Generation Algorithms (DGA) and their role in malware operations. Examine case studies on identifying malicious DNS traffic, establishing DNS traffic baselines, and analyzing NXDOMAIN responses. Gain insights into querying for malicious domains, analyzing DNS traffic patterns, and identifying anomalous domain names. Discover useful tools like dnstop and Passive DNS for network analysis. Learn how to analyze network traffic of suspect hosts, notify the security community, and consider attack attribution possibilities.
Overview
Syllabus
Intro
Malware Detection
Finding Malware using DNS logs
Malware Generic Description
Malware and DNS
Packet Captures
Back to DNS - Defensive Techniques
DGA (Domain Generation Algorithm)
Malware and DGA
Identifying Malicious DNS Traffic - Case Study
Identifying Malicious Traffic
Establish DNS Traffic Baseline
Baseline NXDOMAIN responses - cont'd
Query for Malicious Domains
Analyze DNS Traffic
Identifying Anomalous Domain Names
Tools
dnstop
Passive DNS
Analyze Network Traffic of Suspect Hosts
Notify Community
Can we attribute an attack?
Props
