Checking firewall for unauthorized DNS requests (firewall only allows internal resolvers to do outbound DNS requests and inbound is locked down to accept inbound DNS from their vetted external resolvers.(Personally, that is a nuclear approach, but it works for them) Phantom Playbook has steps to verify the domain with whois lookup, checks to see user and process that made the request and performs remediation steps - lock user account, terminate process on host machine asking for malicious domain and shuts down the host remotely. Splunk alert sends over DNS query and IP/Hostname (making DNS request) to Phantom. Splunk receives both DNS logs and endpoint EDR logs. Internal DNS server black/sink holes malicious domain requests prior to sending the query to an external resolver. Detect malicious domains from DNS logs.The next logical part is to do forensics and rememdiation in an automated fashion.Īs an anecdote, several customers have asked me the same question and when we looked at the requirements for both remediation and forensics processes, it was crystal clear as to how much time and effort they would save with automating both remediation steps and forensics. If you have a proper SIEM, then at least you automated the detection of the bad stuff. And most importantly, how much is your and your other FTE's time are worth. This is highly dependent on what you want to automate and how much of it you want.
0 kommentar(er)
