DMA Demo Script 1

Summary:

The document "DNS Malware Analytics Use Case Demonstration Scripts" provided by Hewlett Packard Enterprise (HPE) is designed for evaluating potential malware threats through Domain Name System (DNS) analysis. It outlines several key points and alert types to identify malicious activities such as fast flux, domain generation algorithms (DGA), and connections to blacklisted domains associated with specific malware like Zeus. The document includes guidance on accessing sensitive data for demonstration purposes, including real CDC data obfuscated for privacy. Key alerts are categorized into various query types that signify potential malware infections. The tool helps assess the security posture by identifying malware-infected systems through their DNS calls and provides insights into top infecting domains and internal hosts attempting to resolve C&C servers via blacklisted domains. This method uses techniques like blacklists, DGA, frequency analysis, length of domain, and combination methods to detect malware based on DNS queries. The document serves as a guide for understanding and managing malware threats through DNS data analysis using HPE Confidential tools.

Details:

"DNS Malware Analytics Use Case Demonstration Scripts" is a guide provided by Hewlett Packard Enterprise (HPE) for evaluating potential malware threats through Domain Name System (DNS) analysis. The document, dated March 25, 2016, contains sensitive information about HPE's products and services intended only for evaluation purposes. It must be kept confidential and not shared with others without permission. The content is also subject to change at the discretion of HPE, and there are no guarantees regarding its accuracy or completeness. This document aims to assist in evaluating potential business opportunities with HPE by providing information about their products and services. This document outlines several key points regarding HPE's proposals and business relationships: 1. **Solution Proposal Clarification**: The term "solution" used in HPE's proposal does not guarantee that the proposed products or services will meet the Customer’s requirements, as additional information may be needed for a tailored configuration. 2. **Partnership Interpretation**: The use of terms like "partner" or "partnership" indicates a collaborative relationship between parties but does not imply any formal legal or contractual partnership. 3. **Pricing Estimates Validity**: Pricing estimates provided in the document are valid for 30 days from their submission date. 4. **Document Versions and Acceptance**: If there are differences between electronic and hard copy versions of HPE's proposal, only the hard copy will be considered official unless stated otherwise. Similarly, if electronic formats differ (e.g., PDF vs. other), the PDF version alone will constitute the valid proposal. 5. **Communication and Resolution of Issues**: Any concerns or issues regarding this notice should be addressed by contacting a local sales representative. 6. **Copyright and Confidentiality**: The document is copyrighted by Hewlett Packard Enterprise Development Company, L.P., and is subject to confidentiality restrictions. 7. **Use Case Demonstration Scripts**: This section provides guidance on accessing specific data for demonstration purposes, including software usage instructions (e.g., browser preference for optimal display) and the nature of the data being used (real CDC data obfuscated for privacy). In summary, this document serves to clarify expectations regarding HPE's offerings, the collaborative relationship between parties, and procedures for handling differences in proposal versions or issues arising from the use case demonstration scripts. This document outlines a method for analyzing DNS data related to potential malware infections, specifically focusing on malicious activities such as fast flux, domain generation algorithms (DGA), and connections to blacklisted domains associated with specific malware types like Zeus. The analysis involves examining alert types that are triggered based on the number of DNS events involving client IPs attempting contact or being contacted by malicious domains. The alerts can be categorized into several types: 1. **Query Long**: Triggered when clients make numerous queries to domains with long names, potentially for data extraction. 2. **Query NX DGA**: Occurs when a domain created by a Domain Name System (DNS) query generation algorithm is queried but no connection is made, suggesting potential fast flux or malicious activity. 3. **Query Resp**: Triggered when clients make numerous queries to domains created by a DGA and at least one successful connection (fastflux contact) is detected. 4. **Query Many BL**: Indicates that clients attempted to connect to multiple blacklisted domains. 5. **Query FBIZeusSink**: Alerts for connections to domains associated with Zeus malware, as flagged by the FBI. 6. **Query >50% BL**: Triggered when more than 50% of connections made by clients are to blacklisted domains. 7. **Query 1st BL**: Indicates a possibly infected client attempting to connect to a first-time blacklisted domain. The document also provides guidance on how to use the DNS Malware Analytics tool, which helps in assessing security posture by identifying malware-infected systems through their DNS calls. The main feature is the "Top Infecting Domains" section of the dashboard, which shows the most queried Command and Control (C&C) servers by infected systems within an environment. Additionally, it highlights the top internal hosts attempting to resolve these C&C servers via queries to blacklisted domains, with line thickness indicating higher call volumes. Overall, this document serves as a guide for understanding and managing malware threats through DNS data analysis using HPE Confidential tools. The provided text gives an overview and detailed explanation of DNS Malware Analytics, focusing on malware types, alert types, blacklisted domains, and the querying process. It includes explanations for various alert types such as Query Long Domains, Query NX DGA, Query Resp DGA, Query Many BL, Query FBIZeusSink, and Query >50% BL, providing insights into what these alerts signify in terms of malware infection and malicious activities. The text also describes the visualization tools like pie charts that show the percentage of queries made to blacklisted domains and highlights key information displayed on the alert types page when you "drill down" into specific alert categories. This breakdown is designed to help users understand the nature of the threats detected by DNS Malware Analytics and how they should respond to potential malware infections based on the type of alert triggered. The script provides an overview of alerts with details such as alert types, top internal hosts, IP classes & subnets, and export functionality. Users can explore specific alerts to gather more information about client IPs, including hostname, malicious domains requested, and malware breakdown. Additionally, users have the capability to utilize DNS Finder for detailed analysis of infecting domains or C&C Servers that internal hosts are connecting to. This feature allows for a comprehensive view of network activity, helping in identifying potential threats and understanding the connectivity patterns within the network. The text describes a method for detecting malware through DNS calls, focusing on malicious domains that computers may connect to. It involves copying and pasting the "Client IP" into a search tool to find other domains it is connecting to, indicating potential malware activity. This process is referred to as DNS Malware Analytics. Key techniques used in this analysis include: 1. **Blacklists**: These are lists populated by HP Security Research or user input, which help identify various types of malware. 2. **DGA (Domain Generation Algorithm)**: This technique detects if the domain was generated randomly, often a sign of malware behavior. 3. **Frequency Analysis**: By analyzing the number of communication events over time, this method can detect malware by its command and control activities. 4. **Length of Domain Analysis**: Assessing the randomness and length of domains is used to detect data exfiltration or other malicious intent. 5. **Combination Techniques (DGA, Frequency Analysis, Length of Domain)**: Using multiple methods together provides a comprehensive approach to detecting malware. The text concludes by mentioning that this method helps in detecting systems infected with malware through DNS queries to known malicious domains and should be considered as a detection solution. Remediation would require separate actions not covered within the DNS Malware Analytics process.