Understand How to Threat Hunt
DNS Covert Channel Indicators
4th March 2020
11:00 GMT | 16:00 GST | 17.30 IST
Join Si Consult’s very own Chris Cheyne and Johnny Witt, for a webinar on ‘Understand How to Threat Hunt
DNS Covert Channel Indicators’, held on the Wednesday 4th March 2020 at 11:00 GMT | 16:00 GST
| 17.30 IST.
Adversaries often communicate using DNS to avoid detection. They do this by blending in with existing
traffic. Almost all APT threat actor groups have demonstrated indicators relating to the use of DNS as a
covert channel. So, understanding threat hunting techniques over DNS logging is essential.
Please enter your details here. We look forward to seeing you.
AREAS YOU WILL LEARN ABOUT:
DNS firewall traffic analysis and anomaly detection
DNS controls bypassing
DNS log inspection for excessive sub domains, head length
How to spot encoded traffic over DNS
How to spot fast flux DNS
How to detect domain generation algorithms are used by many malware families
What to know about port 53 inbound Transition Control Protocol (TCP)
The benefits of using specific tools for detection (IBM QRadar, Resilient and IBM X-Force) and
Threat hunting is the action of proactively searching out anomalies that lead to a positive detection
of a malicious actor. The techniques used to do this are distinct from automated alert-driven
detection, in that they are part of normal Security Operations Centre (SOC) operations, and almost
always use machine analytics tooling.
There are, however, many methods attackers may take, via Domain Name System (DNS) anomalies, to
communicate, target and blend in with existing traffic.
Guest speakers, Cheyne and Witt expose these DNS Anomalies, and highlight the specific tools,
including how IBM QRadar can be used to provide the insights that make knowing about
crucial to your business.
Featured Presenter - Chris Cheyne, CTO Si Consult
Chris Cheyne is the SOC Director and CTO for SI Consult, a global organisation empowering its
clients with bespoke cyber security procedures and technology. Responsible for operating five Security Operation
Centres across the UK, Middle East and India, Chris specializes in threat hunting and intelligence, endpoint
detection and response, SOC monitoring, behavioural analytics, EUBA, SIEM and more. With over 12 years of
experience in security operations and management services, his objective is to place the power of his SOC team
into his clients’ hands, and to provide complete visibility of security events and threats within their
environments. Chris has been pivotal in building Si Consult’s capabilities in Managed Security Services and
has experience in delivering SOC detection and response services for household names across multiple sectors,
including Finance, Insurance, Healthcare, Retail, Aviation and Education. With an industry-leading team of 150
analysts behind him, he ensures that clients receive the highest degree of protection against today’s cyber threats.
SOC Director and CTO
Featured Presenter - Johnny Witt, Senior Security Analyst Si Consult
Johnny has over 25 years’ worth of experience in Cyber Security and Development, and acts as our
Principal Threat Advisor for Si Consult SOC. He has an incredible depth of knowledge and experience with real-world
threat actors, exploits and attack methods, and has many years of experience in detecting and responding to such threats.
Johnny contributes to the Si Consult Labs team and is specialised in Research and Development for next
generation IT Security products and built the first OpenDNS (type) infrastructure.