Yesterday morning I was catching up on some RSS feeds1 and came across this interesting post from Trevor at ThreatSim entitled Fighting The Advanced Attacker: 9 Security Controls You Should Add To Your Network Right Now. After reading it, I had one of those “Ah-ha” moments where I looked at one of the recommendations and asked myself, “Why am I not doing that?”

You talking to me?, by Ped-X-Ing

For those of you who know me (or have ever had to get on my home WiFi), you know that I have made my home network entirely too complex for what I need it to be. Three different DMZs is a little insane, don’t you think? But I did it for a reason—so that I can talk from experience when I recommend certain controls to companies big and small. Of the nine on the list, I do many natively in my home network. The one that struck me as one I should add is logging DNS queries. Those of us in the field know that infections can be quickly detected by watching the queries your machines make throughout the day. We can cross reference certain lookups to known sites for malware or command & control traffic, and find infected hosts on a realtime basis2.

So I did it. I already blackhole certain domains in my home DNS setup so some of the queries may return 127.0.0.1, but I can still see the original query type, contents, and originating host. In the last sevenish hours of it being active I have the following stats:

  • 500K of data in my query log
  • 7,500+ queries
  • Many from said feed aggregator that lead me to the ThreatSim post
  • 2,900+ from my main personal workstation
  • 15 unique hosts making queries
  • 1,800+ from an automated process that is clearly not making use of any internal DNS cache
  • 1,800+ from iOS devices connected to WiFi
  • ~400 from my phone system
  • None to top malware servers (though, ironically, I’m having a hard time finding good lists that I could quickly parse to keep the manual editing down)

I’ve got two nice benefits from this. I’ll have a month’s worth of logs for my own geek usage and a record of query traffic to track down any strange issues that might pop up. I can also specifically correlate this information with my DHCP lease list and see what queries non-residents perform. I can also learn which hosts or operating systems are the chattiest and build some basic trends that can help me find anomalies. On a larger scale, you can imagine how quickly the logs will grow and how much harder it will be to use this in a Big Data context to search for compromises. I’m looking forward to brushing up on my flat-file parsing skills to see what kinds of interesting information I can pull out of this!

And with that, I’m going to bid you all adieu for 2011. It’s been an amazing year for security professionals, and i’m excited with the prospects of 2012.

But don’t you go anywhere! I have some fantastic guest bloggers lined up for the next two weeks. Topics to look for include ITSM, Virtualization security (this is a good one), and WAFs. Still trying to line up a few more to keep you guys going over the holidays. I hope yours are great!

This post originally appeared on BrandenWilliams.com.

  1. In a world of Twitter, I know… []
  2. Sometimes more effectively than Anti-Virus can. []