DeepSec2016 Talk: Behavioral Analysis from DNS and Network Traffic – Josh Pyorre

Sanna/ October 4, 2016/ Conference, Internet, Security

What’s in a name? A rose? The preparation for an attack? Or simply your next web page you will be looking at? The Domain Name System (DNS) has gone a long way from replacing text lists of hosts to a full directory service transporting all kinds of queries. DNS even features a security protocol for cryptographically signed zone data. In order to balance the load, name resolution has caches that temporarily store DNS information. Usually organisations run their own DNS resolvers as caches for their infrastructure. Even if it’s just a flat network with local clients all DNS requests are channelled to hit your resolvers. Before applications open a data connection, they will query the local resolver to get address data or other hints on how to contact the other endpoint of the communication. For this reason all your DNS queries are sensitive. They can tell what systems you often use. The names can be used to derive the purpose of a system. And queries can be used to identify when things go wrong inside your organisation. Josh Pyorre will tell you how.

Multiple methods exist for detecting malicious activity in a network, including intrusion detection, anti-virus and log analysis. But the majority of these use signatures, looking for already known events, and they typically require some level of human intervention and maintenance. However, using behavioural analysis, it’s possible to observe and create a baseline of average behaviour on a network, enabling intelligent notification of anomalous activity. This talk will demonstrate methods of performing this activity in any environment. Attendees will learn new methods which they can apply to further monitor and secure their networks.

Again we recommend this presentation for everyone. You all rely on DNS resolvers every single day. The infrastructure is already there. All you need is to tap the existing information. You just have to use it for your monitoring. No mystery – and no cyber – there.


Josh is a security researcher with OpenDNS. Previously, he worked as a threat analyst with NASA, where he was part of the team to initially help build out the Security Operations Center. He has also done some time at Mandiant. His professional interests involve network, computer and data security with a goal of maintaining and improving the security of as many systems and networks as possible. Josh hosts a podcast looking at the most notable topics in security called Root Access.

Speaking engagements include:
2016: QuBit (Prague), Bsides (Austin), Cloud Security World (Boston), Bsides Portland
2015: Derbycon, DeepSec (Vienna, Austria), NASA, Source (Boston, Seattle),
BSides (Los Angeles, San Francisco, Chicago, Austin).
2010: Defcon (Las Vegas)

Here you can listen to an interview with Josh as a Podcast guest at  Further writing on OpenDNS from Josh can be found online:
Which providers have the most phishing content?
PayPal Phishing Sophistication Growing
Anatomy of a Facebook Phishing Campaign

Grammar and Spelling Errors in Phishing and Malware 

Share this Post

1 Comment

Comments are closed.