Partner Spotlight: Expose Adversaries’ Networks With Farsight Security

November 2, 2016 • Glenn Wong

Gain valuable insight into adversaries’ networks with Recorded Future and Farsight Security.

Editor’s Note

This is part of a series of blog posts on useful “all-source analysis” research and collaborative approaches using Recorded Future and our OMNI Intelligence Partners.

Summary

Farsight Security Passive DNS is an extension built into the Recorded Future Intel Cards. It enables an analyst to easily retrieve and pivot on passive DNS (pDNS) records for hostnames and IP addresses during their investigation to gain actionable insights into adversarial networks and associated actors.

Problem

A single suspicious IP address or domain name is often the start of a cyber investigation. Yet cyber criminals often use and discard hundreds of domain names for a cyber attack to avoid detection; these indicators remain hidden or undetected. Security analysts and incident response teams don’t have the time or resources to investigate every threat indicator.

As a result, investigations remain incomplete and become the foundation for future attacks.

To efficiently perform investigations, security teams need to “turn back the clock” to view internet infrastructure as it was at a certain point in time. With this historic view, security teams can see how adversaries have “rolled” through related domains, IP addresses, and name servers to conceal their activity.

Phishing Concept

Solution

Every online transaction — good or bad — begins with a DNS lookup and leaves a trail of that activity. Passive DNS shines a light on this trail to provide invaluable, actionable intelligence for security analysts to expose bad actors, their associates, and the networks involved.

Farsight Security collects and processes more than 200,000 passive DNS observations per second. It has the world’s largest historical passive DNS database, with more than 13 billion domain names.

Recorded Future, combined with Farsight’s passive DNS intelligence, contains a wealth of insights about global threat actors, their methods, and associated technical indicators — organized in a single view on the following Intel Cards.

Intel Card Extension
IP Address Available
Domain Available

IP Address Intel Card

Farsight Security Extension

Intel Card for IP address 50.63.202.57 with corresponding lookup response from Farsight Security.

With a click of a button on a single IP address or domain name, security analysts can use Farsight’s passive DNS to answer critical questions such as:

  • Given one domain as a starting point, what other domains share the same IP address?
  • Given one domain as a starting point, what other domains use the same name servers?
  • Show me all the IP addresses that foo.example.com used for the past week (or month, or three months, or year).
  • What are all the fully qualified domain names (hostnames) that are known to exist under a domain of interest?
  • Given the IP address range 128.223.0.0/16, what hosts are known to have used IP addresses from that range?
  • Show me domains that include the word ‘rolex?'” or “Show me domains that utilize versions of “rolex” such as “r0lex” or “ro1ex.”

These are very powerful capabilities, particularly if you’re working on cyber criminal enterprises that use a lot of different domains.

Security analysts and incident responders need access to real-time and historical passive DNS data to block their infrastructure from being used by bad actors. A historical view of passive DNS data also enables security teams to detect patterns of malicious activity and identify phishing, APT, or other targeted attacks.

According to Levi Gundert, Recorded Future’s Vice President of Intelligence and Strategy, “Farsight Security’s pDNS data is a critical component when combined with Recorded Future’s all-source intelligence, because comprehensive pDNS provides quick historical indicator insight for enhanced analysis in record time.”

Example

A recent analysis by the Recorded Future team nicely demonstrated this integration as Farsight Security helped identify a new DarkComet RAT controller.

With a minimum number of clicks, security analysts can drill down on threat actors’ networks and expose information that is related to an investigation and expand their research to those IPs and domains to block potential future attacks.

Demo

Click here to request a demo to learn more about using Farsight Security with Recorded Future.

Trial

Click here to request an API key to explore passive DNS within Recorded Future.

Farsight Security

Founded by internet pioneer Dr. Paul Vixie, Farsight Security, Inc. provides the world’s largest real-time threat intelligence on changes to the internet. Leveraging proprietary technology with over 200,000 observations per second, Farsight provides the internet’s view of an organization and how it is changing purposely, inadvertently, or maliciously.