Uncovering Suspicious Domain Access in a company Network with Threatbook’s OneDNS and Splunk Stream

18 Jan 2024

Observability, Security

Uncovering Suspicious Domain Access in a company Network with Threatbook’s OneDNS and Splunk Stream
As your trusted ally in fortifying digital defenses, we understand that it can be difficult to pinpoint the users who have accessed dubious domains within your network. This task can be even more daunting in a larger-scale environment where the underlying on-prem infrastructure is subject to strict limitations on modifications. Furthermore, you may also ask the questions, how do we classify a domain as a threat, how can we obtain a list of domains that are deemed as malicious and how can we utilise this domain list to correlate the users in your network who have accessed them?
Recently, we have received a similar case. A client would like to trace the originating IP addresses of users within their organisation who might have visited unsafe domains. The client is an organization that has implemented Splunk Cloud to collect and monitor data from various sources. However, their pre-existing setup lacks the ability to differentiate whether a domain is unsafe or not and there is also no way to perform a correlation to locate the source IP of the users and the malicious domains that they have visited. In this blog, we will discuss how we constructed a solution that fulfilled their needs based on their existing setup.

Streamlining Network Analysis with Splunk Stream and Threatbook’s OneDNS App

As we know, managing a large network environment with countless devices and users is no small feat. Trying to locate the exact source IP may feel like trying to find a needle in a haystack; that’s why we proposed the integration of the Splunk Stream app with a customised Threatbook’s OneDNS App. Splunk Stream can be used to capture, index, and analyse network data in real time. It provides the ability to gain insights into the organisation’s network traffic, detect security threats, troubleshoot network issues, and monitor network performance. In our case, we focused on the captured DNS logs. With the DNS logs, we obtained valuable information about the domain resolutions made by users and their source IPs. In order to further fine-tune the accuracy of data, we also leveraged an additional Splunk add-on app called URL Toolbox. This app correctly parses URLs and Top Level Domains to enhance the domain address analysis process.

At this point, just from looking at the Stream DNS logs, there is still no way to tell if the user has accessed an unsafe domain. This is where we introduced the OneDNS app designed exclusively for this purpose; it categorises the information we collected and carries out the data correlation procedures. In general, the OneDNS app is a DNS-based Secure Web Gateway fusing threat intelligence that aims to deliver secure internet access for organisations. It provides detection against new network threats such as malicious mining, ransomware, phishing, APT attacks, and more. The app determines the safety of websites through multiple methods, one being maintaining a constantly updated cloud database that contains a large number of threat intelligence, such as information about known malicious websites, domains, IP addresses, and indicators of compromise. Other methods include behavioural analysis and reputation analysis to detect malicious patterns on websites, flagging those with known malicious behaviours as unsafe.

How to install the apps?

The Splunk Stream app is available to download on Splunkbase and depending on your Splunk architecture, the deployment method varies. For example, to deploy Splunk Stream on a Managed Cloud deployment, you may need to contact your Splunk Cloud account team for installation; the installation typically involves a search head and an indexer. In terms of the OneDNS app, it is a private app that we introduced specifically for this client; for more information regarding how to obtain it and its installation process, please feel free to contact us at enquiry@vsceptre.com.

As mentioned, the OneDNS app is designed to extract data from Splunk Stream for the purpose of conducting comparisons and correlations. It traverses through the Stream index and identifies event records where the domain-related field contains a value that matches a value in the OneDNS threat intelligence database. Whenever a domain match is found, it indicates potential suspicious activity and the record is marked as a detection of malicious domain access within the company network. Furthermore, to offer our client a personalised experience, we developed a dedicated dashboard that precisely aligns with their unique requirements. We also configured alerts, ensuring that they will receive timely notifications about relevant information. This customisation allows them to swiftly access the specific insights they need, enabling prompt responses to potential threats and taking necessary actions as required.

Conclusion

In conclusion, addressing the challenge of identifying users who have accessed suspicious domains within a network can be complex, particularly in large-scale environments with limited infrastructure modifications. The integration of the Splunk Stream app and the customised Threatbook’s OneDNS app offers a compelling solution. By leveraging Splunk Stream’s real-time network data analysis capabilities, organizations can capture and analyse DNS logs, extracting valuable information about their domain resolutions and source IPs. Together with the OneDNS threat intelligence performing the data correlation, we can further enhance the efficiency of identifying suspicious users. As a result, organisations can significantly improve their security posture, taking proactive measures to protect their network infrastructure and safeguard sensitive data. This integration proves to be a valuable asset for organisations in their efforts to maintain a robust and secure digital environment.

Related Articles

The Disruptive Effects of Mobile Application Outages on Large Enterprises in Hong Kong

The Disruptive Effects of Mobile Application Outages on Large Enterprises in Hong Kong

In today’s digital age, mobile applications are essential for large enterprises to connect with customers and drive growth. However, even the most meticulously tested apps can experience outages, leading to significant consequences for both users and the organizations behind them. This article explores the impact of unforeseen downtime, the repercussions on end users and company reputation, and how tools like LaunchDarkly can help alleviate these challenges. Learn how enterprises can uphold application reliability and ensure customer satisfaction amidst unexpected disruptions, leveraging Observability tools with the help of Vscetpre and LaunchDarkly.

Validating your cyber defence effectiveness through Breach and Attack Simulation (BAS)

Validating your cyber defence effectiveness through Breach and Attack Simulation (BAS)

BAS is a proactive approach that automates the process of simulating cyber attacks such as phishing campaigns, malware, or exfiltration, to name a few, and then evaluates the organization’s defences. The aim is continuous identification of vulnerabilities across different devices or systems, keep organization ahead of the evolving cyber threats and minimize the security gaps.

Securing Critical Infrastructure: Best Practices for Privileged Access Management (PAM)

Securing Critical Infrastructure: Best Practices for Privileged Access Management (PAM)

In today’s digital landscape, protecting critical infrastructure is crucial for maintaining the stability of essential services. With increasing cyber threats targeting sectors like energy, banking, and healthcare, managing privileged access to critical systems has become more important than ever. Privileged Access Management (PAM), combined with Bastion Hosts (堡垒机), offers a powerful solution to secure these high-risk systems.