How can DNS log artifacts assist threat hunting? Provide an example.

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Study for the SANS Advanced Incident Response, Threat Hunting, and Digital Forensics (FOR508) Test. Prepare with comprehensive materials, flashcards, and multiple choice questions with hints and explanations. Ace your exam with confidence!

Multiple Choice

How can DNS log artifacts assist threat hunting? Provide an example.

Explanation:
DNS log artifacts provide visibility into how name resolution happens inside an environment, which attackers often abuse for covert communication. This makes them powerful for threat hunting because you can surface patterns that indicate malware C2 or data exfiltration driven by DNS. For example, repetitive queries to a single suspicious domain can reveal beaconing from an infected host to attacker-controlled infrastructure. By examining which internal hosts are querying which domains, how often, and what record types are used (A/AAAA/TXT, etc.), Hunters can establish a baseline of normal DNS behavior and flag anomalies such as regular, periodic lookups to unusual or high-entropy domains, or domains with anomalous TTLs that might accompany DNS tunneling or fast-flux techniques. Since DNS traffic often traverses perimeters more easily than other traffic, these artifacts become a telltale source for detecting covert C2 and data exfiltration attempts.

DNS log artifacts provide visibility into how name resolution happens inside an environment, which attackers often abuse for covert communication. This makes them powerful for threat hunting because you can surface patterns that indicate malware C2 or data exfiltration driven by DNS. For example, repetitive queries to a single suspicious domain can reveal beaconing from an infected host to attacker-controlled infrastructure. By examining which internal hosts are querying which domains, how often, and what record types are used (A/AAAA/TXT, etc.), Hunters can establish a baseline of normal DNS behavior and flag anomalies such as regular, periodic lookups to unusual or high-entropy domains, or domains with anomalous TTLs that might accompany DNS tunneling or fast-flux techniques. Since DNS traffic often traverses perimeters more easily than other traffic, these artifacts become a telltale source for detecting covert C2 and data exfiltration attempts.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy