Microsoft Sentinel SOC 101: How to Detect and Mitigate a DNS Spoofing Attack with Microsoft Sentinel
Spoof Aloof
Get this entire series in a free, downloadable eBook https://aka.ms/SentinelSOC101
DNS spoofing, also known as DNS cache poisoning, is a type of cyberattack that uses tampered DNS server data to redirect users to fake websites. These malicious sites often look legitimate but are actually designed to install malware onto users’ devices, steal sensitive data or redirect traffic.
DNS spoofing can have serious consequences for both users and organizations, such as compromising credentials, exposing confidential information, disrupting business operations, and damaging reputation. Therefore, it is important to detect and mitigate DNS spoofing attacks as quickly and effectively as possible.
In this post, I’ll talk about how to use Microsoft Sentinel, a cloud native SIEM solution powered by AI and automation, to detect and mitigate DNS spoofing attacks across your entire enterprise.
What is Microsoft Sentinel?
Microsoft Sentinel is a scalable, cloud-native solution that provides:
Security information and event management (SIEM)
Security orchestration, automation, and response (SOAR)
Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise. With Microsoft Sentinel, you get a single solution for attack detection, threat visibility, proactive hunting, and threat response.
Microsoft Sentinel has many benefits over legacy SIEM solutions, such as:
Eliminating security infrastructure setup and maintenance
Scaling elastically to meet your security needs
Reducing costs as much as 48 percent compared to legacy SIEM solutions
Collecting data at cloud scale across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds
Detecting previously uncovered threats and minimizing false positives using analytics and unparalleled threat intelligence from Microsoft
Investigating threats with AI and hunting suspicious activities at scale, tapping into decades of cybersecurity work at Microsoft
Responding to incidents rapidly with built-in orchestration and automation of common tasks
How to Detect a DNS Spoofing Attack Using Microsoft Sentinel?
To detect a DNS spoofing attack using Microsoft Sentinel, you need to first connect to your data sources. Microsoft Sentinel comes with many connectors for Microsoft solutions that are available out of the box and provide real-time integration. Some of these connectors include:
Microsoft sources like Microsoft 365 Defender, Microsoft Defender for Cloud, Office 365, Microsoft Defender for IoT, and more.
Azure service sources like Azure Active Directory, Azure Activity, Azure Storage, Azure Key Vault, Azure Kubernetes service, and more.
Microsoft Sentinel also has built-in connectors to the broader security and applications ecosystems for non-Microsoft solutions. You can also use common event format (CEF), Syslog, or REST-API to connect your data sources with Microsoft Sentinel.
After you connect your data sources to Microsoft Sentinel, you can monitor your data by using the integration with Azure Monitor workbooks. Workbooks are interactive reports that provide insights into your data and enable you to create custom dashboards. You can use the built-in workbooks or create your own workbooks based on your needs.
One of the built-in workbooks that can help you detect DNS spoofing attacks is the DNS Essentials workbook. This workbook provides an overview of the DNS activity in your environment and helps you identify anomalies and potential threats. Some of the features of this workbook include:
A summary of the top domains queried by your devices
A breakdown of the DNS query types and response codes
A map of the geographic locations of the DNS servers contacted by your devices
A list of the suspicious domains that may indicate malicious activity
A timeline of the DNS events over time
You can use the filters and parameters in this workbook to customize your view and drill down into specific details. You can also use the links in this workbook to navigate to other workbooks or resources for further investigation.
How to Mitigate a DNS Spoofing Attack Using Microsoft Sentinel?
To mitigate a DNS spoofing attack using Microsoft Sentinel, you need to use the analytics rules and playbooks features. Analytics rules are the logic that runs on your data and generates alerts when certain conditions are met. Playbooks are the automated workflows that run-in response to alerts or other triggers and perform actions such as sending notifications, creating tickets, running scripts, or invoking APIs.
Microsoft Sentinel provides several built-in analytics rules and playbooks that can help you mitigate DNS spoofing attacks. Some of these include:
An analytics rule that detects anomalous DNS queries from devices based on machine learning models.
An analytics rule that detects malicious domains based on threat intelligence feeds.
An analytics rule that detects DNS tunneling activity based on query length and frequency.
A playbook that blocks malicious domains by using Azure Firewall
A playbook that isolates infected devices by using Microsoft Defender for Endpoint
A playbook that sends an email notification to the security team with relevant details
You can also create your own analytics rules and playbooks based on your needs and preferences. You can use the query language (Kusto Query Language or KQL) to write custom logic for your analytics rules and use the graphical interface or the code view to design your playbooks.
The following KQL query is an example that does a lookup on some of the more common ToR proxies:
//Identifies IP addresses performing DNS lookups associated with common ToR proxies
DnsEvents
| where Name contains "."
| where Name has_any ("tor2web.org", "tor2web.com", "torlink.co", "onion.to", "onion.ink", "onion.cab", "onion.nu", "onion.link", "onion.it", "onion.city", "onion.direct", "onion.top", "onion.casa", "onion.plus", "onion.rip", "onion.dog", "tor2web.fi", "tor2web.blutmagie.de", "onion.sh", "onion.lu", "onion.pet", "t2w.pw", "tor2web.ae.org", "tor2web.io", "tor2web.xyz", "onion.lt", "s1.tor-gateways.de", "s2.tor-gateways.de", "s3.tor-gateways.de", "s4.tor-gateways.de", "s5.tor-gateways.de", "hiddenservice.net")
| extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = ComputerThe following example utilizes the content of the Threat Intelligence Indicator table to find matches against the DNSEvents table.
//TI Lookup that match DNS events
let dt_lookBack = 1h;
let ioc_lookBack = 14d;
ThreatIntelligenceIndicator
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
| where Active == true
// Picking up only IOC's that contain the entities we want
| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)
// As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.
// Taking the first non-empty value based on potential IOC match availability
| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)
| join (
DnsEvents | where TimeGenerated >= ago(dt_lookBack)
| where SubType =~ "LookupQuery" and isnotempty(IPAddresses)
| extend SingleIP = split(IPAddresses, ",")
| mvexpand SingleIP
| extend SingleIP = tostring(SingleIP)
// renaming time column so it is clear the log this came from
| extend DNS_TimeGenerated = TimeGenerated
)
on $left.TI_ipEntity == $right.SingleIP
| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, DNS_TimeGenerated, TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress
| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = UrlSummary
DNS spoofing is a serious threat that can compromise your security and privacy. Microsoft Sentinel is a powerful solution that can help you detect and mitigate DNS spoofing attacks across your enterprise. By using Microsoft Sentinel, you can leverage the cloud-native, AI-powered, and automated capabilities of this SIEM solution to protect your data and assets from DNS spoofing and other cyberattacks.
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Subscribe to the Weekly Azure OpenAI Newsletter]
[Learn KQL with the Must Learn KQL series and book]
[Learn AI Security with the Must Learn AI Security series and book]