If I were a malicious actor or strand of malware operating in your network, it’s pretty likely that I’m going to try and exploit the Domain Name Server (DNS) infrastructure – whether that is to exfiltrate data directly, or use it to communicate with my command and control servers to instigate the next stage of attack.
Why is DNS the top choice? Firstly, DNS is a critical network service, so it’s reasonable to expect that every network has one. Secondly, DNS will generally always offer a path out of the network: to identify the IP address of a host on the internet, I need to talk to name servers and listen for the answer. As most networks tend to allow certain types of internet access, there’s typically a route out for DNS with it. Thirdly, there’s no security built into DNS, as it was designed over 30 years ago when cyber threats were on a completely different scale. And finally, traditional cybersecurity solutions generally don’t cover DNS.
Put it bluntly: DNS is ubiquitous, inherently insecure and probably isn’t being secured by any existing security solutions. So, unsurprisingly, the bad guys are happy to exploit it.
To make matters worse, identifying this malicious activity isn’t simple either. It’s not difficult for cybercriminals to encode arbitrary data in a DNS query, or in the associated response, in a way that appears “correct” from the perspective of a DNS protocol. To query a domain like Jane-doe-1991-01-29.domainownedbythebadguys.com, it could be that there’s a host called Jane-doe-1991-01-29. Alternatively, someone may have just communicated a person’s name and date of birth from inside the organisation. No matter the response, the data is already stolen. And if it’s binary data, it can be encoded in ascii, chopped up into a stream of 200-byte chunks, and then sent out in multiple queries.
Working out what’s going on – before it’s too late
So, how do you start protecting your organisation against the threats posed by this ubiquitous, inherently insecure critical network service? Firstly, you need to start looking at the DNS data. But just looking back isn’t enough, the logs can only tell you what’s already happened, rather than giving you the opportunity to prevent it from happening.
One way that this can be achieved is by introducing intelligence into the DNS server. There are three different techniques which can be applied to DNS infrastructure to help identify “bad” DNS traffic: reputation, signature and analytics.
Reputation is different to that which you may have in other areas of your company’s security operation. Reputation feeds are available that list known bad domains, so that if your DNS server sees queries to these domains then it’s a good indicator of compromise. You can choose to configure the server to then disrupt that communication, which will neutralise the malware. Alternatively, you may just want to log it to investigate at a later date.
There are a number of kits readily available online that can set up DNS tunnelling, but these typically have specific signatures in the way that the queries are set up. These signatures can indicate compromise. DNS servers can be configured to block not only those names blacklisted on the reputation list, but those that I recognise as acting malicious.
Analytics can be used to detect illegitimate DNS based on its properties. DNS translates hostnames that we recognise into the addresses that machines can use, for example Infoblox.com is known to DNS as 2001:4801:7903:100:aff8:a2d8:0:f65 220.127.116.11. Catchy.
“Legitimate” DNS traffic has certain properties, for instance use of vowels, letter frequency, and length that packets of arbitrary data encoded in a text format won’t have.
Organisations will only successfully secure against DNS threats if they take an intelligent approach to security. To help differentiate between legitimate and exploitative DNS traffic, it’s important to get a sophisticated understanding of how DNS should work, to ensure that the DNS server is the right place to apply an intelligent approach to security control.
By Dr Malcolm Murphy, Technology Director, Western Europe, Infoblox
GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
Further information and conference details are available at http://www.gdprsummit.london/