DNS over HTTPS (DoH) is a network protocol designed to enhance user privacy by encrypting DNS queries over HTTPS. Many public services, including Google Chrome, Mozilla Firefox, and Microsoft Edge, offer DoH as a privacy feature for users.

However, the implementation of DoH presents specific challenges within an organization striving for a Zero Trust security model.

Challenges of DoH in a Zero Trust Environment

1. Loss of Visibility and Control

Encrypted Traffic

DoH encrypts DNS queries, making it difficult for traditional security appliances (such as firewalls and intrusion detection systems) to inspect and analyze DNS traffic. This loss of visibility hinders the ability to detect malicious activities that rely on DNS, such as malware communication and data exfiltration.

Bypassing Internal DNS

DoH allows devices to bypass an organization's internal DNS servers and use external resolvers. This circumvents security policies and controls that are typically enforced at the DNS level.

2. Increased Security Risks

Malware Communication

Malware can use DoH to establish encrypted communication with command-and-control (C2) servers, making it harder to detect and block malicious activity.

Data Exfiltration

Threat actors can leverage DoH to exfiltrate sensitive data by tunneling it through DNS queries, bypassing traditional data loss prevention (DLP) measures.

Circumventing Security Policies

DoH can enable users to bypass security policies, such as content filtering and domain blocking, by using external DNS resolvers, thus weakening an organization's security posture.

3. DoH and Zero Trust Principles

"Never Trust, Always Verify"

A core principle of Zero Trust is to "never trust, always verify." DoH undermines this principle by obscuring DNS traffic, making it difficult to verify the legitimacy of network communications.

Least Privilege

Zero Trust emphasizes the principle of least privilege, ensuring that users have access only to what they need. DoH complicates the enforcement of least-privilege access by making it harder to control which domains users can access.

How Zero Trust Solutions Address DoH

DNS Security Solutions

Modern Zero Trust solutions incorporate advanced DNS security capabilities that can inspect and analyze DoH traffic. These solutions use techniques like deep packet inspection and threat intelligence to identify malicious DNS activity.

Centralized DNS Control

Zero Trust architectures aim to centralize DNS control, ensuring that all DNS traffic, including DoH, is routed through secure, managed DNS resolvers.

Policy Enforcement

Zero Trust solutions enable organizations to enforce security policies on DoH traffic, such as blocking access to known malicious domains and filtering content.

Detecting and Investigating DoH Activity with Clear NDR

To identify and investigate unauthorized DoH activity, security teams can leverage Clear NDR’s Enriched Hunting Interface. With over 100 guided hunting filters, analysts can simplify the discovery, investigation, and classification of DoH activity on their network.

Clear NDR automatically detects and identifies threats on the network, providing security teams with incident timelines and extensive context for each threat. Many organizations use Clear NDR to take a more proactive approach to security by hunting for specific threat types, anomalous activity, or suspicious behaviors.

The Stamus Enriched Hunting Interface provides security practitioners with ready-to-use guided threat hunting filters, including filters for policy violations, that can be used to investigate, classify, escalate, and automate vast amounts of event data, alerts, and contextual metadata.

For a more detailed look at the Enriched Hunting Interface, read the blog article titled, “Introduction to Guided Threat Hunting”.

What is DNS over HTTPS? 

Traditional DNS translates domain names readable by humans (such as www.stamus-networks.com) into a machine-readable IP address. However, traditional DNS operates in plain text, leaving communications vulnerable to man-in-the-middle (MITM) attacks.

To address this, some service providers employ DNS over HTTPS (DoH), which encrypts DNS communications and disguises queries as regular HTTPS traffic, improving user privacy. However, from a security perspective, DoH introduces new risks. While it protects against MITM attacks, it allows malware actors to evade passive DNS monitoring, enabling C2 activity and malware beacon communications to avoid detection.

Many organizations specify which, if any, DoH services are allowed on their network. The presence of unauthorized DoH services may indicate either a policy violation by a user or an attempted attack by a malware actor.

Security teams can use Clear NDR’s Enriched Hunting Interface to quickly locate and investigate unauthorized DoH activity, strengthening their Zero Trust security strategy.

Identifying DNS over HTTPS with Clear NDR

Clear NDR does most of the work for you. With Declarations of Compromise™, it definitively identifies serious and imminent threats. However, no system can automatically detect everything. That’s why Clear NDR logs every possible indicator of compromise – otherwise known as “alerts” – in addition to sightings of previously unseen communications,  corresponding protocol and flow logs, IoCs, file transactions and file extraction logs, host insights, and machine learning enabled encrypted beaconing detection. These alerts, including the corresponding enrichment and metadata, can be used to create a trail of evidence in an incident investigation. Additionally – as seen in this series – they can also be used to perform a guided hunt for specific threat types or other unwanted activity. 

So let’s take a look at the current alerts on our system: 

In the past 48 hours, we have had about 570K alert events which have triggered millions of of results – including protocol, flow, and file transaction logs as well as Host Insights for over 15,000 network endpoints and hosts. 

The Hunt for DNS over HTTPS using Clear NDR

To begin this hunt, we first have to select the relevant filter from the drop down list. Since there are over 100 guided hunting filters, we need to narrow the list down to find the filter we want.

To do this, we can search for the keyword “dns” and then select the needed filter. In this example, the filter we want is titled “Hunt: DNS over HTTPS”. 

Selecting this filter narrows our results from 570K alert events down to only 1 in the selected timeline. This gives us an excellent starting point to work from. 

It is important to note that Clear NDR's Enriched Hunting also provides additional organization-specific context. Users can filter for queries from various departments or user groups within the organization, allowing them to hyper-focus on specific areas without having to aggregate events or organize IP addresses to find specific users or departments. (for example:)

This organizational context is very useful and discloses very interesting results in terms of the clear text downloads.

As part of one of many enrichment processes, Clear NDR automatically breaks down any http/dns/tls domains within those network protocol records into its subforms  - Domain, TLD, Host, and Domain without TLD. 

There are several potential next steps we could take in this investigation, but I would like to take a closer look at the endpoints involved and see if any users that are seen there are still logged in. To get there, we need to see a list of all the hosts in order to know the full scope of what we are dealing with. 

Knowing which clients and hosts are offenders and seeing additional information about the offense is important to get the full picture of this hunt. Specifically, we need to see which services are running on the offender’s host. 

To do this, we can use Host Insights - a very powerful feature included with Clear NDR. Host Insights tracks over 60 security-related network transactions and communication attributes of a host. This provides a single place to view many aspects of the network activity relative to a given host, such as network services, users, or TLS fingerprinting forensic evidence. 

We can click the “Hosts” tab on the left hand side panel and be transferred from the actual events logs to the Host Insights screen.

This filters our 570K alerts down to only 1 event taking place on 1 host. From here, investigating this host to get a better look at their activity is relatively simple. 

This event alone is enough to raise an investigation as in this specific setup we should not have any internal devices using DNS over HTTPS – even public ones. This leaves a few more questions. Why is this happening and what in the network has used it or attempted to use it in the past?

Evidence for Incident Response

With just a few clicks, we are able to view two important sets of evidence: 

• The associated network protocol transactions and flow logs
• Host Insights - a single screen for reviewing 60+ network activity attributes collected for every host

The generated events are already enriched by Clear NDR to include important metadata like DNS records, TLS protocol data containing certificate names, fingerprint JA3/JA3S, connection flow sizes, http user agent, http host, request body, status codes, file transaction info, and more. 

Expanding the actual event details in the Alerts tab gives us those details and the related network protocol and flow transaction logs. Based on the extra TLS protocol information that can be present including SNI, Fingerprint, Issuer, JA3/JA3S, and the flow length and duration, it is obvious that those communications and transactions did in fact happen from the end point.

With this information, we have located both the users and stations involved. We also have an IoC and details on where the file has been seen in the network. 

Security analysts can use any piece of metadata to create simple or complex filters for things like wildcarding, negation, or inclusion. You can even include multiple fields for fast drill down capabilities. All domains, TLS SNI, IP addresses, HTTP hosts, and more can easily be checked with an external threat intelligence provider such as Virus Total.  

Armed with the above information and evidence, a threat hunter has enough information and IoCs to generate an Incident Response ticket. 

However, there are still two tasks left to complete: 

1. 1. We do not want to have to repeat this exact same process again in the future, so we need to set up classification and auto-escalation for future occurrences. 
2. 2. If anything like this has happened before, we want it to be found and escalated with all the associated evidence - all based on historical data.
3.  

Classification

In order to streamline the event review/triage process in the future, an experienced analyst can choose to tag/classify the events associated with this filter  By doing so, Clear NDR will tag future events that match the filter criteria as “relevant” or “informational,” depending upon the analyst’s selection. These tags can be used to automate event review/triage and make it easier for a less-experienced analyst to identify events that are relevant for manual review.

To do so, the analyst selects the Tag option from the Policy Action menu on the right hand side menu. This action will cause Clear NDR to insert a tag into each event record as shown below:   

This allows the analyst to easily filter out or search for them in any SIEM (Chronicle, Splunk, Elasticsearch, etc) or data lake using that tag.

It also allows for easy filtering out of those events in the Stamus Enriched Hunting GUI by switching to “relevant” only classified events. 

Escalation and Automation of this Hunt

To set up an automation which causes Clear NDR to escalate past and future occurrences, we can create a Declaration of Compromise (DoC) event from the Policy Actions drop down menu on the right hand side panel in the Stamus Enriched Hunting Interface. 

The next step is to add some explanation about the type of threat. This also gives us a chance to provide informational context and helps convey knowledge to colleagues. 

Select options to generate events from historical data and generate Webhook notifications.

Just like that, the hunt and all related activities are complete. Any past or future generated events from that automation will then be further auto-classified and escalated to the desired response process -  via SOAR playbook, chat notification, or incident response ticket. 

Our DoC escalation gives us exactly that. 

With a timeline of hosts involved and their involved offenders with past occurrences.

Conclusion

The post-hunt activities completed in this example are just the tip of the iceberg when it comes to the automation and escalation capabilities of Clear NDR). To learn more about these features and how to implement them, read our article titled “After the Hunt”. 

To learn more about Network Detection and Response (NDR) from Stamus Networks and see the enriched hunting interface for yourself, click the button below and schedule a live demo.