The use of local passive DNS in the intranet to detect the incident caused by insider
Date
2019
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
University of Delaware
Abstract
Recently, to protect a company network from threats or data breach, sometimes they utilize their own network, the Intranet, instead of connecting the outside world. This way seems that they make a quite safe shelter by using a physical disconnection which makes attackers not reach from outside, but they might not consider one of dominant attack, the internal threat by an insider who is paid by their competitor. An insider can have a lot of privileges for attacks as an employee in the corporation. If they do not prepare this threat, they will be struggled to detect or find it, and it is possible they cannot figure out where the attack comes from. The nature of the Intranet disconnected from the Internet, they cannot even use external passive DNS from third-party providers. However, I will conduct my experiment with a passive DNS tool, local passive DNS that can be utilized in the Intranet as an alternative by collecting DNS queries to track malicious domains in the local network. ☐ Chapter 1 and chapter 2 are outlines for DNS application in the network and passive DNS resolution. In chapter 3, I will present some characteristics and a solution. The characteristics are about the Intranet and its problem caused by disconnection from the global network. The solution is about using local passive DNS in the Intranet. As the following chapter, chapter 4 will demonstrate the concept of building the Intranet infrastructure in a hypervisor. Then I will explain analysis tools, Domain Analyzer, and Domain Driller which are to investigate malicious domains on collections from local passive DNS. Finally, chapter 5 will show the results of the collection and the investigation targeting the malicious domains which are discovered in the Intranet by using the local passive DNS and analysis tools.
Description
Keywords
Domain Name System, Intranet, Insiders, Network attacks