Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

DNS Query Failures Anomaly Report

by David Schwalenberg
March 17, 2015

The Domain Name Service (DNS) protocol is used to translate (or "resolve") human-friendly Internet domain names into IP addresses. Malware, once it infects a system, will often have a hard-coded list of domains that it attempts to contact in rapid succession for further instructions. This "beaconing" of the malware can be detected by monitoring for spikes in failed DNS queries, as many of these hard-coded domains may no longer exist and so the DNS queries will fail.

Tenable's Passive Vulnerability Scanner (PVS) can detect failed DNS queries and forward those detections via syslog to the Log Correlation Engine (LCE). LCE can then summarize these events and perform statistical analysis, triggering anomaly events if warranted.

This report highlights hosts that have such anomalies in failed DNS query activity, and presents summaries of the domains that were attempting to be resolved. An analyst can use this report to discover hosts infected with beaconing malware. Other activity, such as hosts attempting to access suspicious sites or DNS tunneling, may also be detected using this report.

The report is available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The report can be easily located in the SecurityCenter Feed under the category Monitoring. The report requirements are:

  • SecurityCenter 4.8.2
  • PVS 4.2.0
  • LCE 4.4.1

Tenable's SecurityCenter Continuous View (SecurityCenter CV) is the market-defining continuous network monitoring platform. SecurityCenter CV includes active vulnerability detection with Nessus and passive vulnerability detection with Tenable's Passive Vulnerability Scanner (PVS), as well as log correlation with Tenable's Log Correlation Engine (LCE). Using SecurityCenter CV, an organization will obtain the most comprehensive and integrated view of its network.

The following chapters are included in the report:

  • Executive Summary - This chapter gives a high level overview of anomalies in the failed DNS query activity detected on the network. Spikes in the number of failed DNS queries are not normally expected, and should be investigated. These anomalies may indicate beaconing malware or other suspicious activity.
  • DNS Query Failure Anomalies - This chapter presents the hosts that have anomalies in counts of failed DNS queries, and gives information on the domains that were attempting to be resolved. An analyst can use this information to discover hosts attempting to access suspicious sites, or malware attempting to beacon out.
Try for Free Buy Now

Try Tenable.io

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,190.00

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 60 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578.00

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 60 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.