In the ever-evolving landscape of cybersecurity, understanding how attackers establish and maintain their attack infrastructure is crucial for building robust defenses.
A recent study by Juniper Threat Labs sheds light on the sophisticated methods attackers use to set up their operations, focusing on techniques like IP churn and changing hosting providers and how passive DNS can be leveraged to discover malicious infrastructure proactively.
Passive DNS, a collection of DNS logs gathered from distributed network sensors, has emerged as a powerful tool for threat hunters. Unlike traditional DNS logging methods, passive DNS sensors can be strategically placed along various network paths, offering a comprehensive view of DNS traffic without compromising user privacy or incurring high storage costs.
Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar
Threat Hunting Process Via Passive DNS
Juniper Threat Labs has developed a sophisticated process to leverage passive DNS data for proactive threat detection:
- Seed Infrastructure: The process begins with a list of known malicious domains and IP addresses from threat intelligence feeds.
- Historical Relationship Analysis: Passive DNS data is queried to identify historical connections to the seed infrastructure.
- Noise Reduction: Advanced techniques, including the use of top site lists and popularity estimation, are employed to filter out irrelevant domains and IPs.
- Validation and Ranking: The discovered artifacts are validated using open-source intelligence and ranked based on timing and third-party detections.
The effectiveness of this approach was demonstrated in tracking the CatDDoS botnet, an evolved version of the Mirai malware. Over six months, researchers observed the botnet’s frequent changes in server locations and hosting providers, a tactic known as “infrastructure churn.” This constant shifting of resources makes traditional tracking methods challenging.
In a recent case, Juniper Threat Labs identified emerging threats before public disclosure. The team uncovered a campaign abusing Cloudflare tunnels to deliver Remote Access Trojans (RATs). This attack, which began in February 2024, utilized phishing emails to initiate a multi-stage infection process, ultimately deploying various RAT families, including XWorm, AsyncRAT, and VenomRAT.
By leveraging passive DNS data, Juniper Threat Labs identified seven additional domains and two IP addresses related to the RAT campaign beyond what was initially reported by other security firms.
This proactive approach enables defenders to stay ahead of attackers, forcing them to constantly allocate new resources and increasing their operational costs.
Juniper Threat Labs’ innovative use of passive DNS data represents a significant advancement in cybersecurity defense strategies. This approach provides defenders with a crucial time advantage by uncovering attacker infrastructure before it’s actively used.
As cyber threats continue to evolve, such proactive hunting techniques will play an increasingly vital role in protecting organizations and individuals from sophisticated attacks.
Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses