Malicious actors often use tactics such as domain hopping or domain fronting to evade detection and propagate malicious activity.
By changing the nameservers associated with a domain, threat groups are able toy evade detection and continue their activities under a different set of infrastructure.
By monitoring changes to nameservers associated with a domain, security teams can pinpoint connections between different domains and nameservers, and identify previously unknown threat actors or infrastructure based on different patterns of behaviour.
Additionally, if a domain is repeatedly changing nameservers or associated infrastructure, it may be an indication that the domain's security controls or practices are inadequate, and that the domain is vulnerable to attack.
Silent Push allows you to search for all nameserver changes associated with a specific domain over time.
-
Navigate to
Explore DNS Data > Domain Name Server Changes -
Specify a
Domain -
Click
Search
Monitoring nameserver data
You can monitor results populated on the Explore screen for any changes, saving you time and resources by automating key queries across a range of internal workflows.
Monitors run once every 24 hours. You'll be alerted when Silent Push detects new results via email (filtering/sorting options are not applied)
-
Once you've received a set of results, click the
Monitorbutton on the top right -
Specify a
Monitor name -
Enter a
Description -
Click
Save -
Your monitored query is now visible in
Monitors > Monitored Queries -
Read this article for information on how to share a monitor