Passive DNS has become one of the most powerful tools in the defenders arsenal. The concept was created in 2004 to help mitigate the threat of malware but is now used for that and far more use cases. Passive DNS data can be used to help detect when trojans have infiltrated your system and are trying to call out, can help detect and mitigate covert communications from your infrastructure, can help provide insights into what known bad actors are up to, and, when correlated with other info, provide actionable information on where the next attack against your system will be coming from. It can also help mitigate the threats of “shadow domain” or “typo squatting” or related attacks where an adversary produces a website that is at a similar address to a good organization. Passive DNS also has roles to play in mitigating phishing attacks, especially when integrated with operational enterprise solutions.

The way this works, basically, is a DNS database that can be referenced and correlated with other info. This is a repository of the history of DNS lookups stored in a way that defenders can use to see time stamped information on server to server communications. A key use case of passive DNS data is to take an IP address known to be malicious and then find all the domain names that Passive DNS sensors have mapped to that IP address. This can help identify who is infected with malware and help identify who is benefiting from the malware.

Passive DNS also helps enable near real time detection of fraudulent changes to the DNS system, including attacks like cache poisoning. And it can enable solutions that help identify newly registered domains (which have a higher likelihood of being used for fraud. Passive DNS can also contribute to solutions that thwart domain infringement or copycat fraud. It is also a great way to identify other sites and servers being used by malicious actors and can help identify and bring down infrastructure that supports phishing attacks.

The basic Passive DNS architecture is a replication technique where inter-server DNS messages are captured by sensors. When a computer asks a recursive DNS server for a lookup, it will check its own cache but also frequently checks with the root name servers to make sure it knows who holds the data for the domain (in the graphic example below, the .com name server). After finding out who is responsible for the domain needed it puts the computer requester in contact with it. Passive DNS collection with well placed collection sensors sees this traffic:

One of the most powerful analyst tools leveraging Passive DNS capabilities is PassiveTotal.org They describe Passive DNS as:

A system of record that stores DNS resolution data for a given location, record and time period. To best understand passive DNS, one must first understand how DNS works and the value it brings to Internet users. A good way to think about DNS is to look at the contacts application on your mobile phone. Rather than remeber your friends cell phone number, you can simply assign it to a contact name and use that to place any calls. DNS works like a contact application for the Internet. Instead of having to remember IP addresses for all the websites you wish to access, DNS makes them available using domain names which are arguably easier to remember and less likely to change.

As an example, lets take passivetotal.org. At the time of writing this page, if we query passivetotal.org, we will be returned back the IP address of 45.55.77.126. In DNS, this is known as an “A” record and is one of many different record types including, but not limited to AAAA (IPv6), MX (mail), NS (nameserver), and TXT (text). Each record type is used for a different purpose and in theory, could be stored within a passive DNS database.

We will provide more info on how to tap into this type of data for your own analysis in the next post in this series.

Find more reports at:

• CTOvision Assessment On The Megatrend of Cloud Computing
• CTOvision Assessment On The Megatrend of Artificial Intelligence
• CTOvision Assessment On The Megatrend of Mobility
• CTOvision Assessment On The Megatrend of Bigdata
• CTOvision Assessment On The Megatrend of Robotics
• CTOvision Assessment On The Megatrend of the Internet of Things
• CTOvision Assessment On The Megatrend of Cybersecurity

Track the most disruptive technologies by diving into our categorized index:

Artificial Intelligence Companies – A fast overview of Artificial Intelligence companies we believe are poised to cause the most positive disruption in the enterprise.

Big Data Companies – Reference to the greatest, most disruptive Big Data companies in the tech ecosystem.

Business Intelligence Companies – We assess these to be the Business Intelligence Companies most impactful for delivering real decision advantage.

Cybersecurity Companies – We apply our deep expertise in cybersecurity to assessing the best across multiple categories including:

• CASB
• Cyber Threat Intelligence
• Deception
• Encryption
• Endpoint Detection and Response
• Governance, Training, Education, Process
• IAM
• Managed Services, Outsourced Security
• Microsegmentation and Container Security
• Network Traffic and Analysis
• SDP
• Security Scanning And Testing

Cloud Computing Companies – We include both platform and software as a service providers, capturing only the most innovative and disruptive.

Collaborative Tool Companies – These are the firms that help humans connect to humans to create, manage and lead.

Infrastructure Companies – Critical enterprise foundations for business agility.

IoT Companies – Internet of Things and Industrial Internet of Things are here. How do you manage them?

Mobile Companies – Help manage, configure, secure and optimize these very powerful capabilities.

Robotics Companies – Including innovations in Robotic Process Automation, Drones, and industrial robotics.

Services Companies – We only track a few, the ones we really know well.

Tech Titans – These are the big players. We track the tech titans closely since their capabilities change continuously.

VC, PE and Finance Companies – Keeping an eye on the investors can give indications of coming developments.

You can also use our topical pages to get up to speed quickly on the current status of the major megatrends. See our pages on Cloud Computing, Artificial Intelligence, Mobility, Big Data, Robotics, Internet of Things, Cybersecurity and Blockchain and Cryptocurrencies.

We also provide special pages focused on high interest topics, including Science Fiction, Entertainment, Cyber War, Tech Careers, Training and Education and Tech Tips.

Thanks to the professional, virtuous work of security researchers Chris Valasek and Charlie Miller and some fantastic reporting on this research by Andy Greenberg of Wired Magazine, we have long known that theoretical hacks against cars are no longer theoretical. They are real. Many connected cars can be hacked and they can be hacked from long distance. And the threats include threats to safety.

The publicity brought to these issues was incredibly important and helpful. Zero action would have occurred without it.

Now, almost a year after the research was initially published, the FBI, Department of Transportation and National Highway Traffic Safety Administration have issued a joint alert. This alert provides more background, discusses some of what the government does, and provides some tips to the driving public.

The full public service announcement is here: Motor Vehicles Increasingly Vulnerable To Remote Exploits

Here is an excerpt:

How can consumers help minimize vehicle cybersecurity risks?

1. Ensure your vehicle software is up to date

If a manufacturer issues a notification that a software update is available, it is important that the consumer take appropriate steps to verify the authenticity of the notification and take action to ensure that the vehicle system is up to date.

As a note of caution, if manufacturers regularly make software updates for vehicles available online, it is possible that criminals may exploit this delivery method. A criminal could send socially engineered e-mail messages to vehicle owners who are looking to obtain legitimate software updates. Instead, the recipients could be tricked into clicking links to malicious Web sites or opening attachments containing malicious software (malware). The malware could be designed to install on the owner’s computer, or be contained in the vehicle software update file, so as to be introduced into the owner’s vehicle when the owner attempts to apply the update via USB. Additionally, an attacker could attempt to mail vehicle owners USB drives containing a malicious version of a vehicle’s software. To mitigate potential risks, vehicle owners should always:

• Verify any recall notices received by following the steps for determining whether a vehicle has been recalled for a vehicle cyber security issue, as outlined above.
• Check on the vehicle manufacturer’s Web site to identify whether any software updates have been issued by the manufacturer.
• Avoid downloading software from third-party Web sites or file-sharing platforms.
• Where necessary, always use a trusted USB or SD card storage device when downloading and installing software to a vehicle.
• Check with the vehicle dealer or manufacturer about performing vehicle software updates.

If uncomfortable with downloading recall software or using recall software mailed to you, call your dealer and make an appointment to have the work done by a trusted source.

2. Be careful when making any modifications to vehicle software

Making unauthorized modifications to vehicle software may not only impact the normal operation of your vehicle, but it may introduce new vulnerabilities that could be exploited by an attacker. Such modifications may also impact the way in which authorized software updates can be installed on the vehicle.

3. Maintain awareness and exercise discretion when connecting third-party devices to your vehicle

All modern vehicles feature a standardized diagnostics port, OBD-II, which provides some level of connectivity to the in-vehicle communication networks. This port is typically accessed by vehicle maintenance technicians, using publicly available diagnostic tools, to assess the status of various vehicle systems, as well as to test emissions performance. More recently, there has been a significant increase in the availability of third-party devices that can be plugged directly into the diagnostic port. These devices, which may be designed independent of the vehicle manufacturer, include insurance dongles and other telematics and vehicle monitoring tools. The security of these devices is important as it can provide an attacker with a means of accessing vehicle systems and driver data remotely.

While in the past accessing automotive systems through this OBD-II port would typically require an attacker to be physically present in the vehicle, it may be possible for an attacker to indirectly connect to the vehicle by

4. Be aware of who has physical access to your vehicle

In much the same way as you would not leave your personal computer or smartphone unlocked, in an unsecure location, or with someone you don’t trust, it is important that you maintain awareness of those who may have access to your vehicle.

To track the threat to cars as well as your home and business computers, sign up for OODAloop.com

Additional Reading:

The Air Traffic Control System: We all assumed it was vulnerable, but now we know

Pulitzer Prize-Winning Fred Kaplan Explores The Secret History of Cyber War

What You Need To Know About The Administration’s Cybersecurity National Action Plan

Like Kip in Napoleon Dynamite, We love Technology

The Security Yearbook by Richard Stiennon

Breakthrough In Energy We Should All Track: New green technology generates electricity ‘out of thin air’