We’re pleased to announce Sqrrl’s latest release, version 2.7, which delivers a host of new features to the industry-leading Threat Hunting Platform. With a special focus on DNS data and the investigative power that it affords you, Sqrrl 2.7 introduces two new TTP detectors and a set of new capabilities to add to the hunting tool set. DNS logs provide information on a network’s domain resolution activity that can be used to correlate domain resolutions to internal hosts. As such, it is one of the most widely useful data types to hunt for a wide range of activities, including malware command and control and exfiltration activity.
New Detectors and with simpler DNS data integration
In version 2.7 Sqrrl introduces two full new TTP detectors, to discover instances of DNS tunneling and adversary use of Domain Generation Algorithms (DGA). A new source connector for Microsoft Server DNS Debug data can map entries to the Domain and IP Address entities in Sqrrl’s linked data model which provides the source data for these new DNS-focused detectors.
DNS Tunneling is a technique used by malware to covertly send information out of a network using DNS queries for subdomains of a registered domain under the control of a malicious actor, even if the subdomains do not exist. Information or commands can then be sent into the network via the DNS response. This technique has low bandwidth (the max size of a DNS query is 255 characters), requiring a large number of DNS queries to be sent. As encoded messages, the subdomains are typically long and appear random. Sqrrl’s new detector finds DNS Tunneling by grouping DNS traffic according to the internal endpoint making the request, and the external registered domain it is querying for. For each grouping, several factors are computed to determine the relative risk of the observed tunnel.
Domain Generation Algorithm (DGA)
Sophisticated malware uses Domain Generation Algorithms (DGAs) to defeat DNS sinkholes and blacklists. DGAs generate hard to predict but deterministic domains that appear random, and attempts to contact each generated domain for command and control instructions. Attackers can generate the same domain names remotely, and may register one or more of the domains on-demand when they wish to activate C2. Sqrrl’s detector finds DGAs by singling out unregistered websites in DNS traffic. Websites are grouped into sessions using time series analysis, which are expanded to contain registered websites that were contacted. Each website in the DNS traffic is evaluated for randomness and irregularity as compared to the rest of the traffic.
Whitelisting of common registered domains and DNS hunting reports
To reduce the number of false positives for these new DNS-related detectors, and also reduce the burden of whitelisting known domains, Sqrrl comes with a large built-in whitelist of common domains. The list is from the Alexa top 1000 domain list. On the detector details panel for the DNS tunnel and DGA detectors, the Ignore well-known registered domains checkbox determines whether the detector uses the built-in whitelist.
To provide additional insights and starting points for hunts, Sqrrl 2.7 also introduces reports focused on DNS data, such as Least common public domain suffix or Longest observed domain names. These reports are customizable, so hunters can focus on whatever information might assist them in investigating and resolving hunting hypotheses they develop.
As with all Sqrrl product releases, we’ve added numerous enhancements and improvements that simplify data integration, streamline analysts workflows provide better insights. We encourage to take a test drive and see Sqrrl 2.7 in action for yourself!