apiperCIS
commented
5 years ago This one seems to get complicated quickly. It's also worth thinking about it in the context of 7.7 where we're recommending using an external DNS filtering service. I've done some research and chatted with Phil. We brainstormed about 3 different ways of doing this (which I know gets into the "how", but sometimes it's necessary to think about "how" these things are done in order to make sure the "what" that we propose makes sense).
Some possible ways of doing this: 1) Organization has internal DNS server(s) that log the DNS requests (before sending those DNS requests on to the external service) 2) DNS requests are logged on the endpoints (potentially by an EDR, etc.) and then those logs aggregated somewhere (SIEM, etc.) 3) detect and log the DNS requests at the network level (NIDS, etc.)
It seems like this sub-control measure should be able to be automated, but if we're coming at it from the configuration checking approach, it's hard to know what type of configuration to check. If we just say, point at the DNS logs with an input, it would just be a binary - yes there are logs, no there aren't, which seems kind of watered down. Any thoughts on all of this?
wmunyan
Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious domains.
Measures
Metrics