Delaware, USA – November 27, 2017 – DNS Security Check Advanced for ArcSight was released. Basic version of this use case is one of the most popular turn-key content in Use Case Cloud as it helps provide a basis for DNS protocol monitoring. It visualizes and automatically notifies the SIEM administrator about all discovered misconfigurations or packets addressed to non-corporate DNS servers. Advanced SIEM use case has additional capabilities, such as DNS traffic analysis to detect suspicious patterns. DNS Security Check Advanced allows your SIEM to process DNS server logs and detect suspiciously large DNS packets or long requests. One of the additional features of this use case is the automatic detection of DNS servers in your network.
Adversaries continue to use DNS tunneling in attacks to steal data or communicate with command & control servers. It is also worth noting that such attacks are hard to detect and they are usually performed by sophisticated threat actors. The most notorious recent attacks using this technique are the attack on a number of organizations in the US with DNSMessenger malware and Watering hole attack on companies that used NetSarang software (attackers integrated ShadowPad Backdoor into software package produced by the company, this attack was discovered because of suspicious DNS-requests that were sent to command servers).
DNS Security Check Advanced for ArcSight in UCC: https://ucl.socprime.com/use-case-library/info/187/