SecureDNS and Threat Intelligence

By Lex Crielaars, Chief Technology Officer at SMT.


Threat Intelligence is the collective term for the different types of IoCs, or Indicators of Compromise. IT security organizations offer Threat Intelligence streams, often commercially, to organizations to assist in the detection of Advanced Persistent Threats (APTs). In the simplest form, this involves lists of IP-addresses and domain names for which we have reason to believe that they are used by cyber criminals for fraudulent purposes such as a botnet or for distributing malware.


Threat Intelligence can also consist of the file hashes of known programs (such as Mimikatz) used by hackers or the file hashes of viruses, malware and ransomware. With this information, endpoint protection software can quickly and efficiently determine whether this software is present anywhere on a system. The term IoC stems from the assumption that if an organization detects an IP-address, URL or file hash from a Threat Intelligence stream in the infrastructure, this is an indicator that a security breach is in progress.


What is SecureDNS?

To explain SecureDNS, we first explain “normal” DNS. Computers don’t understand anything about website addresses. When you go to a website, this address is converted to the corresponding IP-address, so that the computer can find the website on the internet. Since people are generally bad at remembering IP-addresses, DNS has been created to do this for us. A DNS server converts a domain name, such as, into an IP-address, so that you can access our website. In fact, this means that every connection that a computer enters with another system is preceded by a DNS request. DNS servers keep track of all these requests in the logging and are therefore a valuable source for security use cases. The disadvantage is that it often involves a lot of data that needs to be checked, which is why Threat Intelligence is a valuable addition. By comparing Threat Intelligence streams containing domain names and IP-addresses of malicious origin with the actual DNS requests that take place in your organization, we make it possible to detect APTs in time.



The link between a website address and IP-address can of course be broken or moved. Malicious groups also make use of this to quickly move malware-spreading servers. For example, static lists with “bad IP-addresses” are missing out because they are not updated quickly enough. This is often the difference between free Threat Intelligence as opposed to commercially available Threat Intelligence.

SecureDNS solves this problem by comparing all your DNS requests in real time with Threat Intelligence from mnemonic’s Argus Defense Platform. Argus handles more than 3 billion events every day and distils which IP-addresses and websites can and cannot be trusted. This way you get the most up-to-date protection for all your internet traffic.


Security Information and Event Management (SIEM)

To correlate Threat Intelligence with DNS logging, a SIEM is required. Splunk Enterprise Security already has a Threat Intelligence framework built in. This makes it possible to import Threat Intelligence directly into Splunk. From here standard security use cases are available that take care of correlating Threat Intelligence with DNS and web proxy logging. When the correlation sees a match, there is automatically a notable event in Enterprise Security that the SOC analyst can zoom in and act on.


Security orchestration, automation & response (SOAR)

When the SOC analyst can confirm that a domain name or IP-address is actually used in a hackers campaign, we get more options. The notable event will be escalated into a security case and the associated runbook will be triggered. The domain name can be blocked on the web proxy and the IP-address can be closed on the firewall. We can also tell the DNS server that it can no longer handle this specific domain name and IP-address and must throw all requests in the trash. This I called a sinkhole. Normally these are manual actions for the SOC analyst. Execution of the runbook takes on average 40 to 45 minutes and during this time more users can be infected. Automating this process falls within the domain of SOAR in which Splunk Phantom is active. With this we reduce the execution of a runbook to 60 seconds. Not only is the SOC analyst significantly more efficient in his work, but the organization is also protected against the threat significantly faster.



Smart organizations use all the resources they have at their disposal. SMT is happy to help you meet this challenge and has the right experience and resources in the field of services and products to strengthen your digital resilience.

Want to know more? Contact our Information Security Experts.


June 2019