sponsored

Security Insider Interview Series: Chris Roosenraad, Director of Product Management, and John McArthur, Senior Product Manager, IP Intelligence

Reputation is critical when examining domain names and IP addresses. Neustar’s Chris Roosenraad, Director of Product Management, and John McArthur, Senior Product Manager, IP Intelligence, discuss how to use passive DNS data to establish reputation and boost threat intelligence.

istock 529052922
Neustar

Introduction:  Reputation is critical when examining domain names and IP addresses. Neustar’s Chris Roosenraad, Director of Product Management, and John McArthur, Senior Product Manager, IP Intelligence, discuss how to use passive DNS data to establish reputation and boost threat intelligence.

Please define passive DNS data and how you can put it to best use?

Roosenraad: The idea behind passive DNS data is you watch queries going from the DNS server to the outside world. The security value is you get a snapshot of what somebody was looking for—this resource mapped to this IP address at this time. If you have one DNS entry that has mapped to an IP address for a long time, you can be confident that’s a legitimate business. You can infer reputational context from DNS entries. The other thing about passive DNS, as opposed to an active probe, you see the Internet as it really is, not what the probe thinks it is.

McArthur: With Passive DNS data, you’re gaining insight into domains and associated IP addresses active on the internet, how long they’ve been active, and how domains are connected to other domains.

What sort of intelligence can one gain from this analysis?

Roosenraad: The big thing passive DNS gives you is reputation where before you had none. And reputation is becoming more important. If you see a new domain, you want to learn something about it. If it claims to be an accounting firm in Los Angeles and the IP address points to server in Kazakhstan, that’s a giant red flag.

Is passive DNS data more valuable when used in conjunction with other types of data?

Roosenraad: Reputation is ephemeral. It’s hard to gain and easy to lose. When you combine different data points, they form something better. The more data points you have, the more valuable that data becomes. You can combine passive DNS data sets with other kinds of data from things like IP Geo and IP Rep.

McArthur: There’s an initial layer of understanding you can get with passive DNS data about what’s active on the Internet and how long it has been active. Then you can enrich that with threat intelligence you’d get from IP Geo and IP Rep about IP Addresses linked to domains. Those help you sift out the gold in the data set.

Roosenraad: We would expect all DNS entries to point to a machine or server. If there is a human being behind the IP address, that’s a huge red flag.

What are some of the risks of not performing this level of analytics?

Roosenraad: There aren’t specific risks, but it’s opportunity lost. It’s there—how you use it is up to you. The more an organization is dependent on Internet, the more important it is to have additional sources of data to extrapolate reputation. It goes from being nice to have to mission critical. The criminals have gotten smarter, so we have to look for ways to identify new malicious behavior.

McArthur: It adds new element to being able to better understand reputation of incoming network traffic as well as identify risky domains & websites that enterprises should avoid. It’s a powerful arrow that should be in the quiver of threat intelligence professionals.

Related:

Copyright © 2017 IDG Communications, Inc.