MULTIVARIATE SOLUTIONS TO EMERGING PASSIVE DNS CHALLENGES presented at BlackHatAsia 2016

by Paul A. Vixie,

Summary : These days, most threat intelligence analysts know how to use passive DNS to pivot on initial indicators: given one bad domain, analysts will routinely use passive DNS to identify other domains using the same IP address or name servers, etc.
Less discussed are the corner cases that make simple passive DNS methods hard to successfully employ. For example, if a domain's name servers are shared with 100,000 other domains (including many legitimate domains!), "guilt by association" based solely on name server commonality can become difficult.
Fortunately, it is still possible to identify related bad domains by employing passive DNS along with various other attributes rather than just focusing on a single screening factor such as shared name servers. Audience members will learn about the emerging challenges to using Passive DNS and specific steps they can take to successfully overcome them.