An organization can make an educated guess that malicious actors or malware in its network are going to be trying to exploit its DNS infrastructure. Whether used to exfiltrate data or communicate with a command and control server, DNS plays a crucial role in enabling malicious activity on the network.
Why is it so important?
As a critical network service, cyber criminals can reasonably expect any network to have DNS available. Moreover, it almost always offers a path out of the network: to find the IP address of a host, the malware must talk to name servers on the Internet and listen for the answer. And with most networks allowing some sort of Internet access, there tends to be a route out for these DNS queries.
Finally, with no intrinsic security built-in to DNS, it is inherently vulnerable to exploitation; originally designed more than 30 years ago, the Internet was a very different place then than it is today. And, making matters worse, traditional security solutions tend not to consider DNS nor address its vulnerabilities.
In simple terms: ubiquitous and inherently insecure, DNS is often overlooked by organizations’ security investment. But it hasn’t escaped the notice of cyber criminals…
Ultimately, a question of economics means that hackers are now using DNS as a control plane for malware insertion into an organization.
As an industry, we have successfully protected HTTP, which is widely used as the online business protocol in modern networks with many layers of security. We have invested in end point security, intrusion prevention systems, NextGen Firewalls, and now Web Application Firewalls. As a result, it has become much harder for cyber criminals to exploit the increasing number of hurdles that each organization is piling up. At the same time, the dark hacking industry, which is also innovating at a much faster pace, has scored a genius achievement by leveraging DNS as the new covert channel. DNS is trusted by all networking and security devices and, as such, can silently traverse any network device, security system, Data Loss Prevention Function (DLP) or even application servers.
Detection of data exfiltration is rendered difficult by the ease with which arbitrary data can be encoded within a DNS query, or in the associated response, that looks “correct” from the perspective of a DNS protocol.
For instance, if issuing a query for a domain named Jane-doe-2000-11-25.
Essentially, when not intelligently deployed, DNS risks single handedly wiping out the multimillion dollar investments in security technologies an organization makes and exposing it to grave consequences.
Using DNS for network defense
While inherently vulnerable, DNS can, when securely managed, also be an organization’s best weapon in securing its networks.
The first step towards making DNS a useful tool is by looking at its data, if not doing so already. But looking at logs will only let you know what’s happened already. Instead, it’s important to use the data intelligently so organizations can prevent malicious activity happening in the first place.
Putting threat intelligence into the DNS server is a key step in weaponising the DNS. There are three techniques that can be applied to the DNS infrastructure to decide whether its traffic is “bad”.
The first of these, reputation, works in a similar way as that seen in other areas of a company’s security operation. Reputation feeds are available that list known malicious domains on the Internet: so if a DNS server is querying these domains, it’s a strong indicator of compromise. By configuring the server to disrupt that communication to these domains, it is able to neutralise the malware, or enable the network administrators to log it for future investigation.
The second is signature. There are kits readily available online that set up DNS tunnelling, which typically has a detectable signature in how it sets up the queries. While the signature may not have been seen by you before, and so won’t appear on the reputation list, signature detection software may still be able to recognise the malicious activity and block it.
The third is analytics. The address book of the Internet, DNS translates the hostnames that we know and recognise into a location that machines can direct to. As such, “legitimate” DNS traffic has certain properties such as use of vowels, letter frequency, and length that don’t occur in arbitrary data encoded in a text format. Analytics can also look at lexical analysis of the requests and responses, the size of the data responses and frequency to determine what is a legitimate DNS query and what is an exploit.
Securing DNS requires a sophisticated appreciation of how this vulnerable piece of infrastructure should work. With no traditional solution that can truly protect it, it is important that the defenses start at the core of the problem.
By using DNS as a strategic security weapon, organizations can disrupt the malware kill chain, prevent unauthorised leakage of sensitive data and protect the infrastructure without having to install any special software on end points, network devices or servers. That’s why it’s smart to start leveraging DNS strategically to transform it from vulnerable infrastructure to a network defender.
Cherif Sleiman is VP EMEA at Infoblox.