OpenDNS is an interesting concept. It offers two choices for users: no-cost for personal use and a paid version for commercial use. The idea behind OpenDNS is that the company provides an assured, independent, secure set of domain name servers. When top-level domain servers - or, for that matter, any domain servers - are compromised by attacks such as cache poisoning, OpenDNS servers can be relied on to provide safe domain name service.
As a result of that approach, engineers at OpenDNS have developed a suite of tools that they use to manage, monitor and investigate potential cyberthreats, especially those that impact name servers directly. One of those tools is Investigate.
AT A GLANCE
Product OpenDNS - Investigate
Price Starts at $150K per year based on usage and volume.
What it does Threat intelligence derived from more than one billion DNS requests per day through the OpenDNS system.
The purpose for Investigate is simple, although its use can become complicated and tedious depending on what you want to know and whether you are running the tool manually or from the API. But, we are getting a bit ahead of ourselves and giving, perhaps, the impression that this is an incomplete or poorly thought-out tool. In fact, nothing could be further from the truth. Investigate is hard at work at SC Labs as we monitor the cyberthreatscape and it is one of our solid workhorses. The difference - again, getting a bit ahead of ourselves - is whether you use the manual or the API version.
The success of Investigate comes from its fire hose of incoming data. Riding on the back of the OpenDNS internet architecture, Investigate takes advantage of around 60 billion requests per day updated in real time. That boils down to about a million per second and that is a lot of data with which to work. In this type of analysis though - discovering and analyzing cyberthreats - more data always is better than less.
To apply Investigate in its manual mode, we start with a known address. Let's be specific. Recently we received four IP addresses that had appeared at the gateway of one of our industry partners. Associated with those addresses was a persistent vulnerability scanning effort. Rather than simply the expected knob-twisting we all experience daily, this appeared to be a concerted effort to find a weakness and it appeared to be automated. What to do?
We took the first of the four addresses - they actually appeared to be in pairs - and we fed it to Investigate. No threats reported. OK...on to the next. We went through three before we hit pay dirt with the fourth. This showed that it was a suspected fast flux network. Scrolling down a bit we found hundreds of IPs that were part of the network. DNS checks on several of these IPs gave back nothing. Traceroute gave back nothing. It looked like a fast flux botnet to us. Its URL suggested use of a domain-generating algorithm (DGA).
Next we looked at the domains hosted under this IP. There were six. Each one was also a fast flux with huge numbers of unidentifiable addresses attached. Digging still deeper, we examined the domains associated with the six initial ones. Same results. Our conclusion was that this posed a potential problem and we told our partner not to bother blocking the IPs. Rather, block the domains. We gave them a domain list and that ended the problem. Since this was a regional financial services organization, the domains being in the Czech Republic and the UK did not suggest a customer. So nothing would be lost - except the probes - by blocking it.
All of this took about two hours using Investigate only - and only in its manual mode. We manually mapped out a suspected botnet architecture. Deployed as an API we would have had the task finished in seconds. This is a threat analyst's tool par excellence. We designate OpenDNS Investigate with an SC Lab Approved rating.
OUR BOTTOM LINE
Investigate is a must-have for your threat analysis toolkit. Our technique of pivoting off of the suspect domain to uncover a potentially malicious architecture is greatly enhanced by Investigate. It provides the context for a solid analysis of a potential threat.
However, unless you really like playing with it, and we do, you are far better off to deploy the API. The REST API is straightforward and admits straightforward coding to bring Investigate into your workflow. The problem with sniffing out threats is that there is an extremely high noise level. We went through three IPs before we came to the one that we wanted. That was an easy one. Sometimes, depending on where you are on the botnet's target hierarchy, there can be hundreds to check.
We saw that as we dug a bit deeper, but only sampled because the magnitude of the task of digging in all the way simply was too great. You really need the API to make that level of analysis practical.
So, our bottom line for this one is: You need it but it really belongs in your data protection workflow where it can automate the process of hunting and can dig deeply through large suspicious networks of just about any ilk. So we recommend the API. Of course it wouldn't hurt to get a license or two of the manual version for the geeks who really like to dig into threat analysis.
SC Lab Approved