DIY DNS DFIR: You’re Doing it WRONG

DNS is one of those protocols that we, as DFIR practitioners, take for granted. Operationally, if DNS resolution is working properly, we’re happy. Many organizations, however, fail to utilize DNS logs and associated intelligence within their response and investigative activities. This is in part due to the perceived lack of value associated with DNS logs and its associated features, such as name server, WHOIS, and hosting information, and more often due to the unavailability of the logs. This talk will present several tools (both commercial and open source) to help manage the deluge of information on even the smallest of budgets. We will also discuss how to enrich your data with valuable intelligence from freely available sources. Finally, this talk will highlight some real-world investigative techniques where DNS and its associated features were
used to add clarity to DFIR investigations.

Andrew Hay, CISO, DataGravity, Inc.

Andrew Hay
DataGravity, Inc. @andrewsmhay
Andrew Hay is the CISO at DataGravity where he is responsible for the development and delivery of the company’s comprehensive information security strategy. Prior to that, Andrew was the Director of Research at OpenDNS (acquired by Cisco) and was the Director of Applied Security Research and Chief Evangelist at CloudPassage.