Passive DNS Monitoring – Why It’s Important for Your IR Team

DNS is an unsung hero among protocols during a network investigation. It’s almost universally used by other protocols such as HTTP, SMTP, and the like. It’s also a plaintext protocol, which can benefit an incident responder who cannot otherwise examine the contents of an encrypted connection. However, passive DNS monitoring (also known as DNS logging) […]

Detection Profile: Silent Periodic Activity

One hallmark for many malware events is the regular periodic behavior they present when rallying for and checking in with their command and control servers.  The check-in interval can be a very useful metadata point in hunting an adversary.  However, the constant state of change that attackers can use for their own infrastructure makes this […]

What Red Canary Detects, Part II: Suspicious Activity

At the risk of oversimplifying the threats and threat actors that organizations face, I’m going to assume for purposes of this article that they fall into one of two broad categories: opportunistic and targeted. Opportunistic Attacks Opportunistic attackers land where they land and attempt to extract as much value from each victim as they can […]