DNS abuse: Advice for incident responders

What DNS abuse techniques are employed by cyber adversaries and which organizations can help incident responders and security teams detect, mitigate and prevent them? The DNS Abuse Techniques Matrix published by FIRST provides answers.

The Domain Name System (DNS) is a critical part of the Internet, and it’s often abused in many different ways by malicious threat actors.

FIRST is an association of computer security incident response teams (CSIRTs) from government, commercial, and educational organizations, and currently has over 600 members spread across the globe. Among its many special interest groups (SIGs) is the DNS Abuse SIG, which compiled the DNS Abuse Techniques Matrix.

“CERTs are confronted with reported DNS abuse on a continuous basis, and rely heavily on DNS analysis and infrastructure to protect their constituencies,” the DNS Abuse SIG notes.

“Understanding the international customary norms applicable for detecting and mitigating DNS abuse from the perspective of the global incident response community is critical for the open Internet’s stability, security and resiliency.”

Understanding DNS abuse in its many forms

The document defines 21 DNS abuse techniques: DNS spoofing, local recursive resolver hijacking, DNS as a vector for DoS or a channel for command and control (C2) communication, malicious registration of second level domains, and others.

The stakeholders included range from registrars, registries and various providers (hosting, application service, threat intelligence) to CSIRTs and ISACs (information sharing and analysis centers) and law enforcement and public safety authorities.

“The advice currently takes the form of a matrix indicating whether a specific stakeholder can directly help with a specific technique. By ‘help’, we mean whether the stakeholder is in a position to detect, mitigate, or prevent the abuse technique,” the SIG explained.

“We have organized this information under three spreadsheets covering these incident response actions. For example, during an incident involving DNS cache poisoning, the team can go to the mitigation tab and look at the row for DNS cache poisoning, to find which stakeholders they might be able to contact to help mitigate the incident.”

The matrix does not include techniques that attackers may use in conjunction with DNS abuse techniques, nor does it currently cover all existing policy-related, governmental, and judicial avenues incident responders can explore while dealing with DNS abuse.