Threat Hunting with DigitalStakeout PDNS

Threat Hunting with DigitalStakeout PDNS

A cloud-based DNS firewall, such as DigitalStakeout PDNS, can be an effective tool for threat hunting by security analysts. Here is a step-by-step guide on how a security analyst can use PDNS for threat hunting:

  1. Set up PDNS: The first step in using PDNS for threat hunting is to set up the service. This typically involves starting by creating a free DNS account, configuring your network to send DNS data to PDNS, and setting up access to the PDNS web interface.

  2. Collect and analyze DNS data: Once PDNS is set up, PDNS will begin collecting and analyzing DNS data from your network in real-time. This data can include DNS queries, responses, and other metadata such as the source and destination IP addresses of the traffic.

  3. Identify indicators of compromise: One of the primary benefits of using PDNS for threat hunting is the ability to quickly identify indicators of compromise (IOCs) in DNS data. Some common IOCs that can be detected using PDNS include:

  • Domain names associated with known malware or phishing campaigns
  • DNS queries for non-existent domains (NX domains)
  • DNS responses containing malicious payloads
  • Sudden increase in the number of DNS queries or responses
  • Low DigitalStakeout domain rank resolutions
  • Sudden burst of new DigitalStakeout DNS Greywall entries
  1. Investigate suspicious activity: If you identify any suspicious activity or IOCs using PDNS, it is important to investigate further to confirm the existence of a threat and to determine its nature and scope. This may involve conducting additional analysis of DNS data, as well as other types of data such as network traffic and system logs.

  2. Take action: If you confirm the existence of a cyber threat, it is important to take action to mitigate the threat and prevent further damage. This may involve blocking malicious traffic by PDNS policy, quarantining infected devices, and implementing additional security measures to prevent connectivity to the malicious domain(s) and future attacks.

    • Related Articles

    • PagerDuty DigitalStakeout PDNS Integration

      Trigger DigitalStakeout PDNS alerts to PagerDuty, so you can remediate cyber security incidents faster. 1. Perform the PagerDuty Setup Process first. PagerDuty Setup Process Login to PagerDuty, go to the Configuration menu and select Services. On the ...
    • DigitalStakeout PDNS URL Proxy

      DigitalStakeout PDNS URL Proxy analyzes web traffic for high risk URLs. It examines the domain and full URL of request to determine if it is a threat. The targeted proxy performs HTTPS security analysis of good sites that are exploited to deliver ...
    • Managing DNS Security Threat Categories

      DigitalStakeout PDNS offers out-of-the box protection to the following types of malicious domains. These threat categories are maintained 24x7 and sourced from a global network of real-time threat intelligence including customer reports, partner ...
    • How does the DigitalStakeout PDNS Greywall Work?

      Greywalls reduce risk by limiting unwitting end-users from temporarily interacting with domains, host names, and URLs with zero histories, reputation, or generated by an algorithm. DigitalStakeout PDNS greywall uses observation data and reputation ...
    • Enabling DNSSEC in DigitalStakeout PDNS

      DNSSEC (Domain Name System Security Extensions) is a security protocol that provides authentication for DNS data. It is used to protect the internet's global Domain Name System (DNS) infrastructure from various types of attacks, such as spoofing and ...