Home Did you know ? How to Use DNS History for Cybersecurity

How to Use DNS History for Cybersecurity

by Mic Johnson

It’s unfortunate that the word “cybercrime” has become a household name, with virtually every individual having to learn how to stay safe online. In the corporate world, it’s no longer a matter of “if” a company gets attacked, but “when” it will get hacked.

Thus far, data-driven cybersecurity technologies have helped keeping up with ever-evolving cyberthreats. The passive Domain Name System (pDNS) is an example of useful data for that purpose. With the tools powered by pDNS technology, we can look into the DNS history of domain names and IP addresses. In this post, we delved into the role of DNS history in fighting against cyber attacks. But first, let’s get into the basics.

What Is DNS History?

DNS history refers to the past DNS resolutions stored in a pDNS database. Such historical data enables cybersecurity teams to discover what domain names once resolved to a specific IP address, along with the relevant date stamps.

Historical DNS data can be consumed by enterprises in the form of a database, an application programming interface (API), or a web-based lookup tool. These consumption models make for easier integration into existing security systems.

Using DNS History for Cybersecurity

To illustrate how historical DNS data can be used to enhance cybersecurity strategies, consider the IP address 94[.]23[.]90[.]226, which is tagged as an indicator of compromise (IoC) related to the Charming Kitten cybercriminal group. Charming Kitten is known to use domains that pass off as reputable news sites but actually host exploit kits. Among the news-related domains they have used in attacks are:

  • britishnews[.]com[.]co
  • britishnews[.]org
  • broadcastbritishnews[.]com

Digging into the DNS history of the IoC 94[.]23[.]90[.]226, we found that it is associated with the following domains and subdomains:

  • 94-23-90-226[.]ovh[.]net
  • ip226[.]ip-94-23-90[.]eu
  • mail[.]elektro-holding[.]pl
  • mail[.]market-a[.]com[.]ua
  • mail[.]obyvka[.]com[.]ua
  • market-a[.]com[.]ua
  • metronews[.]net[.]ua
  • obyvka[.]com[.]ua

Two of these domains could catch the attention of security teams—metronews[.]net[.]ua and market-a[.]com[.]ua. The first one looks similar to the news-related domains that Charming Kittens used in the past. The domain market-a[.]com[.]ua, on the other hand, is also comparable to another IoC, market-account-login[.]net.

The IP address and its associated domains were not tagged as malicious on VirusTotal. However, that doesn’t mean that they are safe to access.

3 Cybersecurity Use Cases of DNS History

As seen in the illustration above, historical DNS records can provide more context on a single IoC. The same is true when you encounter a suspicious cyber incident and have to work with one IP address or domain name. In particular, DNS history can be used to:

  • Expand the list of threat IoCs: More artifacts related to a particular cybercrime can be uncovered by looking into published IoCs’ DNS history. While some associations might be benign, others could be worth inspecting further.
  • Investigate cyber incidents: More insights can be gleaned from a suspicious cyber alert by looking into the domain’s or IP address’s past associations. Threat actors may reuse their domain infrastructure, so DNS history could provide potential leads.
  • Enrich cybersecurity platforms: DNS history can further contextualize data provided by cybersecurity tools, such as threat intelligence platforms (TIPs) and security information and event management (SIEM) solutions. As a result, security experts can more effectively prioritize alerts.

DNS history data has been helping security teams understand cyber incidents and gain more leads in cybercrime investigations. In fact, the ability to track cybercrime, particularly malware attacks, is the primary reason behind the development of pDNS. The logic is similar to predictive analytics that uses historical data to predict future events. If a domain or an IP address has past associations with a malicious asset based on historical DNS data, then chances are it is also unsafe to access.

You may also like