DNS Threat Hunting with Securd

A cloud-based DNS firewall, such as Securd, can be an effective tool for threat hunting by security analysts. Here is a basic step-by-step guide on how a security analyst can use Securd for threat hunting:

  1. Set up Securd: The first step in using Securd for threat hunting is to set up the service. Configure your network to send DNS data to Securd, and setting up access to the Securd web interface.
  2. Collect and analyze DNS data: Once Securd is set up, Securd will begin collecting and analyzing DNS data from your network in real-time. This data can include DNS queries, responses, and other metadata such as the source and destination IP addresses of the traffic.
  3. Identify indicators of compromise: One of the primary benefits of using Securd for threat hunting is the ability to quickly identify indicators of compromise (IOCs) in DNS data. Some common IOCs that can be detected using Securd include:
    1. Domain names associated with known malware or phishing campaigns
    2. DNS queries for non-existent domains (NX domains)
    3. DNS responses containing malicious payloads
    4. Sudden increase in the number of DNS queries or responses
    5. Low DigitalStakeout Domain Rank resolutions
    6. Sudden burst of new Securd Greywall entries
  4. Investigate suspicious activity: If you identify any suspicious activity or IOCs using Securd, it is important to investigate further to confirm the existence of a threat and to determine its nature and scope. This may involve conducting additional analysis of DNS data, as well as other types of data such as network traffic and system logs.
  5. Take action: If you confirm the existence of a cyber threat, it is important to take action to mitigate the threat and prevent further damage. This may involve blocking malicious traffic by Securd policy, quarantining infected devices, and implementing additional security measures to prevent connectivity to the malicious domain(s) and future attacks.