As cyberattacks become more robust and sophisticated every day, the world of cybersecurity saw the need to shift. Hence, cyber resilience became the new norm. Cyber resilience bases itself on the fact that cyber risks are no longer just IT risks but also business risks. As such, organizations must secure all aspects of their business so when a cyber incident occurs, it will cause less disruption. Equally importantly, the incident in question will be carefully studied so similar ones are less likely to happen again.

A passive DNS database, which gives a historic perspective on the changes made in the domain name system (DNS) over time, might help organizations in this regard. How so? By knowing malicious domain associations, organizations can stay a step ahead of threat actors. Cyber attackers, no matter how crafty, tend to use the same infrastructure repeatedly, thereby leaving digital traces that can lead cybersecurity professionals to more indicators of compromise (IoCs).

Improving Cyber Resilience Using a Passive DNS Database

Obtaining actual Domain Name System (DNS) records and, therefore, the exact IP address of a given hostname used to be impossible. But thanks to passive DNS introduced by Florian Weimer in 2005, cybersecurity teams can now see historical DNS records. A passive DNS database can help organizations improve their cyber resilience by giving them the power to track whatever DNS clues cybercriminals left behind to deter future attacks of the same type. Here’s how:

1. Obtain the Actual IP Address Used by the Offending Domain

Suppose you encounter or hear from trusted sources about the suspicious domain name, track[.]amishbrand[.]com. (Note that this domain is an IoC related to the delivery of malware through the FakeUpdates campaign.)

DNS Database Download will tell you that on February 14, 2020, it resolved to the IP address 81[.]4[.]122[.]193. The particular domain has no other records, which tells you that it was not apparently used in a denial-of-service (DoS) attack (if it were, it would have resolved to an unusually high number of IP addresses).

2. Reveal Associated Domains

Our passive DNS database, which gives access to more than 500 billion historical DNS records, would also enable you to obtain a list of all domains that resolve to the same IP address. For example, for the IoC we cited above, you would find that 81[.]4[.]122[.]193 is associated with the domain found[.]unitedmedstaffing[.]com, which was also last updated on February 14, 2020.

At this point, cybersecurity teams can decide to blacklist the domain and IP address to make sure these won’t cause any harm in the future. Other people would argue though that IP blacklisting may be too restrictive. In that case, you can go on to investigate further and check the reputation of the connected domain.

3. Check the Reputation of Connected Domains

Blocklists and malware data feeds such as VirusTotal can help you decide whether or not to block a suspicious domain. For instance, the domain track[.]amishbrand[.]com is tagged as malicious in seven malware detection engines and labeled “suspicious” in one. The other domain found[.]unitedmedstaffing[.]com, on the other hand, is supposedly “clean” or safe to access (at the time of writing).

However, when it comes to ensuring cyber resilience, there’s no such thing as overprotectiveness. Even if found[.]unitedmedstaffing[.]com is deemed clean by a malware database, the fact that it was last updated the same date that the offending domain was should raise a red flag.

* * *

Using a passive DNS database in conjunction with other security solutions and systems can help improve organizations’ cyber resilience in that it helps cybersecurity experts determine IoCs.