by David Schwalenberg
March 17, 2015
The Domain Name Service (DNS) protocol is used to translate (or "resolve") human-friendly Internet domain names into IP addresses. Malware, once it infects a system, will often have a hard-coded list of domains that it attempts to contact in rapid succession for further instructions. This "beaconing" of the malware can be detected by monitoring for spikes in failed DNS queries, as many of these hard-coded domains may no longer exist and so the DNS queries will fail.
Tenable's Passive Vulnerability Scanner (PVS) can detect failed DNS queries and forward those detections via syslog to the Log Correlation Engine (LCE). LCE can then summarize these events and perform statistical analysis, triggering anomaly events if warranted.
This report highlights hosts that have such anomalies in failed DNS query activity, and presents summaries of the domains that were attempting to be resolved. An analyst can use this report to discover hosts infected with beaconing malware. Other activity, such as hosts attempting to access suspicious sites or DNS tunneling, may also be detected using this report.
The report is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The report can be easily located in the SecurityCenter Feed under the category Monitoring. The report requirements are:
- SecurityCenter 4.8.2
- PVS 4.2.0
- LCE 4.4.1
Tenable's SecurityCenter Continuous View (SecurityCenter CV) is the market-defining continuous network monitoring platform. SecurityCenter CV includes active vulnerability detection with Nessus and passive vulnerability detection with Tenable's Passive Vulnerability Scanner (PVS), as well as log correlation with Tenable's Log Correlation Engine (LCE). Using SecurityCenter CV, an organization will obtain the most comprehensive and integrated view of its network.
The following chapters are included in the report:
- Executive Summary - This chapter gives a high level overview of anomalies in the failed DNS query activity detected on the network. Spikes in the number of failed DNS queries are not normally expected, and should be investigated. These anomalies may indicate beaconing malware or other suspicious activity.
- DNS Query Failure Anomalies - This chapter presents the hosts that have anomalies in counts of failed DNS queries, and gives information on the domains that were attempting to be resolved. An analyst can use this information to discover hosts attempting to access suspicious sites, or malware attempting to beacon out.