Why the Cyber Threat Hunter Needs DNS
In our latest webinar in our cyber security series, we welcome Cyxtera Cyber Security Officer Chris Day.
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.This article summarizes a webinar featuring Cyxtera Chief Cyber Security Officer Chris Day on the evolving role of threat hunters and how DNS can be used as a sensor to detect malicious activity. It explains the real-world problem that 91% of malware leverages DNS, describes the technical environment around DNS queries, resolvers, tunneling and telemetry placement, and outlines the operational impact of using DNS analytics and heuristics to surface threats. The key outcomes are that threat hunters should treat DNS as valuable security data, place sensors close to local resolvers, and focus on patterns in queries and responses to find human-driven, creative malicious behavior before significant damage occurs.
Why is DNS particularly valuable to threat hunters according to the webinar?
Chris Day emphasizes DNS as a central mechanism that connects devices to networks, making it a common vector for malware—he cites that 91% of malware uses DNS. DNS queries carry signals such as character count, query frequency, domain age, and first-time lookups that can indicate malicious activity like tunneling or command-and-control communications. Because DNS resolution is ubiquitous and can be observed close to the local resolver, threat hunters can use DNS telemetry and pattern analysis to detect anomalies and infer attacker behavior even when other security stacks miss it.
What specific DNS patterns or indicators should threat hunters look for to detect tunneling and other abuse?
The webinar highlights several indicators: unusually long domain name strings (near the RFC character limits), rapid bursts of queries, high frequency from multiple hosts for previously unseen domains, and first-time domain queries. Tunneling abuses DNS by encoding data into long, frequent queries to exfiltrate information, so spotting excessive character counts and large query volumes is critical. Additionally, combining query-side signals (who asked and how often) with response-side context and simple heuristics or analytics helps separate benign anomalies from malicious tunneling behavior.
Where should DNS sensors be placed and why does sensor location matter for threat hunting?
Chris Day recommends placing sensors as close to the local resolver as possible so hunters can observe every outgoing query and its results, including queries that may later be satisfied from cache. Local-resolver proximity ensures visibility into the full set of clients making queries—if many machines query an unfamiliar domain that then becomes cached, only sensors near the resolver will capture that initial activity. This volume and granularity provide the context needed to identify suspicious patterns, such as multiple hosts querying a new domain or rapid sequences of long queries indicative of tunneling.
In our latest webinar in our cyber security series, we welcome Cyxtera Cyber Security Officer Chris Day. Our last webinar, former Homeland Security advisor Dick Clarke focused on the changing role of the CISO. This time, Chris Day tackles the issues facing those on the front lines, those who are securing the networks and investigating the breaches: the threat hunters.
Before becoming the Chief Cyber Security Officer at Cyxtera, Chris was also the CISO at Invincea, the CTO for Packet Forensics and Chief Security Architect for Terramark (which was acquired by Verizon). He’s also served on the President’s Secure Government Communications Subcommittee.
Threat hunters are a proactive bunch. Their aim is to act before the damage is done. As Chris puts it, “Cyber threat hunting is about taking that less structured look at your network.” It’s about leveraging tools and data sources that aren’t typically part of your cyber security stack but can still help the hunter glean what has happened during a breach. DNS is traditionally thought of as infrastructure, but by shifting their perspective and changing how they look at DNS data, threat hunters can use DNS as a sensor for network activity. That being said, their biggest challenge isn’t necessarily the data itself, but reading and combing through it.
Chris walks us through the growing role of the threat hunter and how threat hunters can be (and should be) leveraging DNS as a weapon, shining a great deal of light on a few invaluable facets of the threat hunter’s role: the value of DNS data, the humanity behind it, and the insights within it.
Finding the Needle in your DNS Haystack
It’s a stat that you may have seen us using repeatedly, mostly because it’s so drastic. 91% of malware uses DNS, and it’s no wonder. “DNS is the central mechanism to connect devices to a network,” emphasizes Chris. It’s also important to control how DNS resolution occurs in your specific network environment. So how can a threat hunter use DNS data to effectively interpret what kind of attack is taking place or has taken place?
Simply, by looking for abnormalities within the DNS data that hint at malicious activity. There are also patterns in the strings themselves. The character count, the frequency of the queries, the age of the domain itself, first-time domain queries – all of these can be indicators of malicious activity.
The Face of Malware is Human
Chris raised an oft-forgotten point: that there is a human being behind all malware. While threat hunters and network engineers are working on the ground within digital environments, there is always a human at work on the other side. And with that humanity comes curiosity, creativity, and unpredictability. Human beings are anything but rational, but that doesn’t mean that they don’t leave behind hints and trails. Finding the right patterns within queries and suspicious-looking domains is where threat hunters earn their title. Because the biggest challenge is not the data itself. It’s finding insights within the data.
Reading Between the Queries
Chris uses tunneling as a prime example pattern-finding. Tunneling moves private data across a network in a way that makes them appear as public. “It opened people’s eyes about how malleable DNS can be and how it can be abused.”
Essentially, tunneling will make a number of rapid, lengthy queries, using the largest number of characters allowed by the DNS RFC’s (Request for Comments).
In order to effectively interpret all this data, Chris prefers “sensors to be as close to the local resolver as possible.” This allows the threat hunter to see every result and query that’s going out even if it’s cached. While this may seem like a lot, there is value in volume. If the local resolver caches a query, but 15 other machines made queries to a domain you’ve never seen before, that’s something worth looking into.
What’s Next for the Threat Hunter?
2017 was defined by large scale cyber attacks like WannaCry and the Mirai botnet. These breaches seriously affected healthcare, financial institutions and more, and Chris believes 2018 will bring more of the same.
“As computers systems are starting to interact more in the physical space, particularly in the IoT space, cyber attacks start to have real-world impact.”
So where does this leave the threat hunter? Well, let’s just say they won’t be out of a job anytime soon. With the rising frequency and complexity of malware attacks, threat hunters and DNS data are more important to cyber security teams than ever.
While there is a “lack of awareness of the security utility” of DNS data, threat hunters can gain invaluable insights from it, even if they’re just analyzing a small amount of data in the queries in CSV files. By focusing on the queries as well as the responses while applying good analytics and heuristics, to use Chris’ terms, the threat hunter will put themselves in a much better position to succeed.
Published in:
Anna is a passionate content writer who’s always eager to learn something new about cyber security.
Related content
How to map your network with user-defined links in Integrity X
Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.
Automate your DDI modernization path by migrating with Micetro
Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.
Your journey to intelligent NetOps begins at Cisco Live
Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.
Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)
Tired of patching and manually configuring BIND DNS and ISC DHCP? Discover how Micetro MDDS appliances can replace them for modern DDI.