One of the highlights of the Messaging Malware Mobile Anti-Abuse Working Group’s (M³AAWG) 58^th General Meeting in Dublin last month was a demonstration of the Domain Name System (DNS) Abuse Techniques Matrix by Peter Lowe, co-chair of the Forum of Incident Response and Security Team’s (FIRST’s) DNS Abuse Special Interest Group (SIG).

Lowe is part of an extensive team of experts who aid those charged with mounting an effective response to computer security incidents around the globe. Late last year, M³AAWG and FIRST announced their partnership, uniting the two organizations in the fight against online abuse and creating an initial focus on DNS abuse. That positioned Lowe to host a DNS Abuse training session in Dublin.

As he shared the details of FIRST’s DNS Abuse Techniques Matrix with the M³AAWG audience, Lowe outlined the strategies incident responders can use to detect, mitigate, and prevent specific techniques used by adversaries. These strategies are detailed further in the FIRST Computer Security Incident Response Team (CSIRT) Services Framework v2.1.

• Detect–identify potential incidents. This function involves continuous processing of information security event sources and contextual data to identify potential information security incidents, such as attacks, intrusions, data breaches or security policy violations that are identified for analysis.
• Mitigate–contain an incident and restore secure operations. Contain the information security incident as much as possible to limit the number of victims, reduce the loss and to recover from damage, avoid further attacks and further losses by removing exploited vulnerabilities or weaknesses, and improve overall cyber security.
• Prevent–using DNS-specific steps, make it less likely incidents of this type will occur in the future. CSIRTs are in a unique position to collect relevant data, perform detailed analysis, and identify threats, trends, and risks, as well as to create best current operational practices. Transferring this knowledge to their constituents is key to improving overall cybersecurity. Knowledge transfer can take place by building awareness, conducting formal training and education programs, and developing technical and policy advisories. Prevention also includes managing all new and known vulnerabilities (e.g., “scan and patch”) to stop exploitation.

The report and matrix identify a list of 21 DNS abuse techniques, such as DNS cache poisoning, stub resolver hijacking, and DNS tunneling. As incident responders move through detection, mitigation, and prevention stages, it is imperative that those who can directly help with a specific technique are engaged as soon as possible. The matrix matches an extensive list of stakeholders within each stage to each abuse technique.

Lowe explains the importance of communicating with stakeholders during each stage of incident response: “Keeping in regular communication with multiple stakeholders during the lifetime of an incident, and afterwards, is vital to ensure timely reporting and facilitate coordination and collaboration among teams. It also helps promote information sharing between parties, which always leads to improved resolution times and better defenses in the future: shared lessons ensure ongoing improvements in cybersecurity practices.”

FIRST’s main objective in creating the matrix was to develop  a tool for incident responders and security teams but also to bring DNS Abuse communities together. The partnership between FIRST and M³AAWG will continue to develop these connections, for this community and others addressing online abuse.  

We had a great experience presenting M³AAWG’s Objectionable Content Takedown Template Best Common Practices (BCP) at a FIRST event in 2022, and while the Dublin meeting was the first major engagement for the two organizations since the formalization of the partnership, M³AAWG’s Growth and Development Co-Chair, Dennis Dayman said there are more collaborative events planned for the near future, to include FIRST Regional Symposium Latin America & Caribbean in Fortaleza, Brazil this October. 

“M³AAWG has an active partner engagement framework designed to bring knowledge and connections to our constituency. Leveraging FIRST’s DNS Abuse expertise through Peter demonstrates the power of our partnership with FIRST: the number of incident responders exposed to relevant detection, mitigation and prevention techniques will grow exponentially from the Dublin presentation,” said Dayman. 

Lowe was an immediate hit with the M³AAWG Dublin crowd. Those who follow his podcasts appreciate the intensity with which he pursues protecting online information balanced with a healthy sense of humor. He shared in his blog that he particularly enjoyed the Open Round Table session format, where, “…attendees pick a certain subject and allow people to rotate between areas where it can be discussed. It felt a little bit like technical speed dating–is that a thing?”

Yes – technical speed dating is a thing, and M³AAWG is looking forward to the next date with Peter Lowe and FIRST! Members can find additional information on presentations on the Past Meeting Presentations page within the M³AAWG website.

M³AAWG Best Practices, Public Policy, and Supporting Documents may be accessed by any member of the public by visiting https://www.m3aawg.org/for-the-industry.