The CyberSift Packet Capture Parser — DNS Queries
This article is part of a series on the CyberSift Packet Capture Parser. In this article we’ll discuss the simple yet useful “DNS Queries” module
DNS is an often overlooked fertile ground for threat hunting.
The “DNS Queries” module simply detects all the DNS queries for A records made within the packet capture.
While giving you a better idea of activity going on within your network, it’s also a very useful indicator of compromise, especially vs malware such as Trojans, ransomware or any other malware that uses Domain Generation Algorithms (DGAs) to contact their Command and Control (C&C) servers. DGAs tend to have a very weird structure which an analyst would be able to pick out easily (the full version of CyberSift helps out by highlighting which domains are unusual or have a different syntactic structure to the other domains).
In order to help gather more data, clicking on any of the entries takes you to the IBM X-Force threat intelligence provider which gives you further information about the domain in question. For example, the below screenshot shows X-Force listing that a particular domain has been involved in spam and malware:
