DNS Miner - A Semi-Automatic Incident Response and Threat Intelligence Tool for Small - Over Worked Security Teams

DerbyCon V - Unity

Presented by: Doug Leece, AJ Leece
Date: Sunday September 27, 2015
Time: 10:00 - 10:50
Location: Track 2
Track: Fix Me

In recent years, the increased onset of modern malware has led to managers questioning how secure are these environments are from a variety of attackers. As an administrator’s time is typically constrained, it’s essential that a toolset provide increased visibility and ease of use, while generating information that is valuable to both technical and business stakeholders alike. IP address information alone is not adequate since modern attacks are typically leveraging DNS to hide in low cost hosted environments. DNS Miner seeks to provide visibility into an organization’s DNS activity. By combining up-to-date threat intelligence feeds, with the ability to compare existing endpoint DNS activity against newly blacklisted entries; DNS Miner can minimize the time needed to investigate potential incidents, allowing administrators to more accurately determine which of endpoints have accessed potentially malicious domains without disclosing that information outside the organization. This toolset was designed to be highly customizable by security administrators, which allows for greater control over the functionality, and reporting capabilities in order to properly align with business objectives. Effective incident response also requires containment mechanisms for newly identified security incidents that may be unique to the organization, I.E, not on any common public threat intelligence feed.

Doug Leece

AJ Leece


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats