There’s a wealth of intelligence available in your DNS logs that can help you detect persistent threats.
So how can you use them to see if your network has been hacked, or check for unauthorized access to sensitive intellectual property after business hours?
All intruders in your network must re-connect with their “central command” in order to manage or update the malware they’ve installed on your system. As a result, your infected network devices will repeatedly resolve to the domain names that the attackers use. By mining your DNS logs, you can determine if known bad domain names and/or IP addresses have affected your systems. Depending on the most current “blacklist” of criminal domains is, and how rigid your network rules are regarding IP destinations that the domain names resolve to, DNS logs can help you spot these anomalies.
It’s not a a comprehensive technique for detecting persistent threats, but a good, budget friendly start.
Here is recent webinar we did on the subject of mining DNS logs.