What Are Use Cases

So, you’re checking out what a use case is. Well, I hate to kill all the hype, but it’s exactly what it sounds like. A case in which you may use something. Simple enough right?

Well let’s start with a use case. We want to use our car and go really fast. Great, we have this accelerator function that makes the car go VROOM! 0 – 60 in no time flat. That’s amazing, this product meets your use case of going really quickly.

We may want to put a little thought into other use cases, such as, umm, well, I just went really fast, now maybe I want to slow down a bit before my life flashes before my eyes in a fiery explosion of carnage and mayhem? Right? Not dying is probably a good thing, at least in my experience it is.

If we don’t ask the right questions, then whatever product we purchase may only meet a sliver of our use cases while the rest of our needs are “On The Roadmap” to be delivered in a later release. That doesn’t help our whole I need a product that won’t kill me now situation right?

In days like these where technology is changing ever-so-rapidly, we need to think about what we are attempting to accomplish before we spend days, months, or sometimes even years implementing new technology that could only meet a fraction of our needs.

This is why we are bringing you the Cyber Security Use Case blog. Hopefully, as you visit us more, you can use our use cases to help make better decisions on securing your environment, or you know, reach out to us on Twitter, LinkedIn, or by contacting us!

Unauthorized DNS Server Usage

Simplified Version

So, you are lost. Do you ask the first person you see for directions or do you look for someone trustworthy? Well, unauthorized DNS servers are the difference between you asking a police officer for directions as opposed to the gentleman doing weird handshakes for cash on the corner. The gentleman may not point you in the right direction, then again he may, are you willing to take the risk?

Problem

How do we validate the systems in the environment are not attempting to utilize unauthorized DNS servers?

Business Justification

Bypassing authorized DNS servers puts the organization at risk of malicious domains being resolvable allowing malware droppers to attain malicious packages and infect corporate assets. This also bypasses capabilities to blackhole malicious domains.

Requirements

Firewall, NetFlow, or Windows Platform Connection Filtering Logs.

List of authorized DNS servers.

Detection Logic

Look for traffic going to destination port 53 to destination IPs not in your authorized DNS server list.

Resolution

Once systems are identified, either update the IP address of the domain name server if the system is statically assigned an IP addresses, or verify the DHCP server is properly assigning the correct DNS server IP.