Run DNS forensics with QRadar's big data security extension

Combine QRadar, X-Force IP Reputation Feed, and InfoSphere BigInsights to deliver DNS-based forensics system

With the new big data extension in QRadar®, you can process a large volume of unstructured data as illustrated in this demo. The author performs a version of DNS forensics — he takes a list of all the domains visited by all employees. He then correlates it with the IBM® Security X-Force® IP Reputation Intelligence Feed and registrar information for each of those domains from whoisxmlapi.com. From this analysis, he produces three reference sets that are fed into QRadar for creating or modifying existing rules.

Share:

Jose F. Bravo, Systems Engineer and Authorization Security Expert, IBM

Jose Bravo is a 26-year IBM Security subject matter expert that recently joined the Security Tiger Team. A prolific video educator, Bravo's main area of expertise is strong authentication; he has seven patents in that field. His BS in Electronic Engineering is from Simon Bolivar University and his Master of Science in Computer and Systems Engineering is from Rensselaer Polytechnic Institute.



11 March 2014

As organizations open up their networks to devices and increased social media access, traditional security defenses such as firewalls and antivirus software can't adequately protect an organization. According to a recent IBM X-Force Trend and Risk Report, social engineering attacks and mobile exploits have increased each year since 2011. Firewalls and traditional security products do little against advanced threats that use unreported techniques, or that have already invaded an organization.

In this video, I demonstrate how to make the QRadar SIEM tool work better at providing you tighter, more intelligent DNS and IP access security.

  • The QRadar big data extension (an InfoSphere® BigInsights™ engine)
  • The IBM Security X-Force IP Reputation Intelligence Feed
  • A whois parsing service

How X-Force and QRadar work together

QRadar's new big data extension, 15:17

Video: DNS Forensics and the QRadar Big Data
                        extension
Transcript

The IBM Security X-Force IP Reputation Intelligence Feed delivers insight into suspect entities on the Internet that is based on knowledge of more than 15 billion web pages and images. The X-Force IP Reputation Feed provides QRadar with a real-time list of potentially malicious IP addresses that include malware hosts, spam sources, among other threats.

The feed adds dynamic Internet threat data to the analytical capabilities of the QRadar Security Intelligence Platform, enriching QRadar's threat analysis capabilities with up-to-the-minute data. It:

  • Automatically feeds X-Force data into QRadar.
  • Provides vulnerability coverage across a wide range of use cases.
  • Uses IBM X-Force's proven data collection efforts and extensive knowledge base.

Using QRadar's big data extension

Extending security intelligence with big data solutions

Image of white paper title page for 'Extending security intelligence with big data solutions'

Get the latest on IBM security intelligence and big data.

Use IBM security intelligence and big data solutions to uncover actionable insights into modern, advanced data threats. Read the white paper and learn about:

  • Understanding and identifying advanced threats.
  • Expanding visibility with IBM QRadar Security Intelligence.
  • Security Intelligence with IBM InfoSphere BigInsights.

Download "Extending security intelligence with big data solutions."

In the video demo, I illustrate QRadar's big data extension by doing a little DNS forensics and show you how to get more information out of DNS BIND. (BIND is one of the most widely used pieces of DNS software on the Internet. Also known as named (name daemon), it is considered the de facto standard DNS server.

My goal is to take a list of all the domains visited by all employees and correlate it with the IBM Security X-Force IP Reputation Intelligence Feed and registrar information for each of those domains from whoisxmlapi.com. From this analysis, I show you how to produce three reference sets that you can feed into QRadar to create or modify existing rules.

Normal DNS BIND gathers about the same limited information as ping. But if you do a whois, you get a wealth of information:

  • Registrar
  • When registered and registration expiration
  • Registrant name and address
  • Admin name, admin address, and phone

This information can add to your security layer: Often attackers register a domain for starting an attack. If your security system can add the registration date to its assessment, it can flag recently registered domains as suspicious.

Other pieces of information also occur that can enhance your security efforts, such as:

  • Valid registrant and admin names
  • Valid registrant and admin addresses
  • Valid postal code that is correct for the city/state
  • Valid phone number and the area code for the calling area

And probably most importantly, does this pattern of names, addresses, and phone numbers correlate with previously known risky domains.

In the demo, I show you how to take all the raw logs that my users pass through when they go on the Internet and have QRadar process them. With the QRadar custom properties standard procedure, I extract the massive list of all the domains that were accessed.

See how QRadar tags the list data with geographic location, the user who accessed the domain, and other details. QRadar then converts that information into the JSON format (JavaScript Object Notation) and forward it into the new QRadar big data extension, an InfoSphere BigInsights engine. This data is highly unstructured data, so the BigInsights engine is the component that processes it. I then access the generated knowledge from the big data extension by using a service, whoisxmlapi.com.

The Whois API Hosted Webservice returns well-parsed whois fields to your application in formats like XML and JSON per http request without query limits. The service can:

  • Automatically follow the whois registry referral chains until it finds the correct registrars for the most complete data.
  • Parse a variety of free-form whois data into well-structured fields (in XML and JSON) that your application can read.
  • Parse out the name, organization, street, city, state/province, postal code, phone number, and fax from a free-form human-written contact address.
  • Work over basic HTTP so you don't run into problems that are related to firewalls or accessing Whois servers on port 43.
  • Return an indication of whether a domain is available.
  • Return registry dates in their original format and in a normalized format.

Next, I take the resulting data and combine it with the IBM Security X-Force IP Reputation Intelligence Feed. Every eight hours, I process this data into three different reference sets:

  • Risky users
  • Risky domains
  • Risky IPs

Watch the video to see the process in action and the results.

Resources

Learn

Get products and technologies

  • Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, or use a product in a cloud environment.

Discuss

  • Get involved in the developerWorks community. Connect with other developerWorks users while you explore the developer-driven blogs, forums, groups, and wikis.

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Security on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Security, Big data and analytics
ArticleID=963278
ArticleTitle=Run DNS forensics with QRadar's big data security extension
publish-date=03112014