(10) Unusual DNS, IoCs, And Evidence

Question 1

Considering unusual DNS traffic, what types of things should security professionals focus on when monitoring for such things?

Answer 1

Abnormal levels of DNS queries, specifically unusual domain names

Unusual domain name queries, often to randomly generated or machine generated host names like jku845.com

Large numbers of DNS query failures that could indicate use of automatically generated DNS names embedded in malware

Question 2

Describe how Indicators of Compromise (IoC) need to be used to help detect an issue on a system?

Answer 2

IoCs often need to be combined in order to figure out that there is an issue or where the issue is coming from. IoCs don’t occur in isolation.

Question 3

When it comes to forensic evidence, describe Preservation and chain of custody

Answer 3

Preservation is all about getting the data in custody and preserving it securely and in a documented way.

Chain of custody is about documenting how data travels and changes hands throughout the entire process of the investigation. Chain of custody makes sure that evidence is not modified

Question 4

in terms of evidence, describe a legal hold and validating data integrity

Answer 4

Legal holds are all about preserving data in the event that it may be called upon to be used in a legal case of some kind. Orgs may proactively put legal holds on their own data if they think a lawsuit is coming

Validating data integrity is very important as it makes sure that the data has not been inadvertently changed or deleted. Hashing is often used to preserve data because a hash verifies that the copy of data that is being used is the real thing and not an altered copy