In episode 70 of The Cyber5, we are joined by Open Source Context Director of Operations, Donald McCarthy.

We discuss external telemetry available to the private sector, focusing on passive domain name systems or passive DNS, and Border Gateway Protocol or BGP. These data sets are critical for threat intelligence teams, as they often provide crucial information on attacker infrastructure for the SOC. Still, they also help solve problems and provide context on a much broader scale.

Three Key Takeaways:

1) What is Passive DNS and how is it collected?

To simplify, passive DNS is a way of storing DNS resolution data so that security teams can reference past DNS record values to uncover potential security incidents or discover malicious infrastructures. Passive DNS is the historical phone book of the internet. Practitioners can collect it by:

1. Collecting on the resolver: Have access and enable logging on the resolver, often termed “T-ing the Resolver.” The client-side of the DNS is called a DNS resolver. A resolver is responsible for initiating and sequencing the queries that ultimately leads to a full resolution (translation) of the resource sought, e.g., translation of a domain name into an IP address. DNS resolvers classify data using various query methods, such as recursive, non-recursive, and iterative.
2. Listening on the wire: DNS is port 53 UDP unencrypted, and many security teams put a sensor like Bro, Onion, Snort, or Suricata that can collect and then parse the data.

2) What is Border Gateway Protocol (BGP)?

1. BGP is designed to exchange routing and reachability information between autonomous systems on the Internet and is often complementary to passive DNS.
2. If PDNS is the historical phone book of the internet, Border Gateway Protocol (BGP) is the postal service of the Internet. BGP is the protocol that makes the Internet work by enabling data routing. For example, when a user in Thailand loads a website with origin servers in Brazil, BGP is the protocol that allows that communication to happen quickly and efficiently, usually through autonomous systems (ASes). ASes typically belong to Internet service providers (ISPs) or other large organizations, such as tech companies, universities, government agencies, and scientific institutions. Much of this information can be commercially collected and available.

3) Use Cases for PDNS and BGP in the SOC:

1. Identifying attacker or botnet infrastructure.
2. Identifying all internet-facing infrastructure in business use.
3. Identifying tactics, techniques, and procedures of attackers.

4) Use Cases for PDNS and BGP outside of the SOC:

1. Verify internet-facing applications and infrastructure for merger, acquisition, and compromise items for M&A.
2. Verify internet-facing applications, infrastructure, and compromise for suppliers.
3. Review staging infrastructure of competitors to scan product launches.
4. Investigate threatening emails to executives.
5. Investigate disinformation websites and infrastructure.

5) Enrichment is King and Does Not Need to Be Resource Intensive

If security teams are not engaging with the business to solve problems that risk revenue generation, data sets like PDNS or BGP do not matter. For example, if an organization does not control DNS at their borders, they will lose a lot of visibility to reduce risk and potentially give away proprietary information.