DNS as a Pathway for Infiltration and Exfiltration
Background
Several high-profile data breaches have been in the news recently. We read that millions of customer records are stolen, emails hacked, and sensitive information leaked. Most enterprises have multiple defense mechanisms and security technologies in place, such as next-generation firewalls, intrusion-detection systems (IDSs), and intrusion-prevention systems (IPSs). Yet somehow malicious actors find a way to appropriate data. What types of data are they after and why? Hackers try to steal personally identifiable information (PII) such as social security numbers and regulated data related to compliance and intellectual property that could give some other entity a competitive advantage. They can then post this data publicly to cause damage to reputation or they can turn around and sell it in the underground market for a nice profit.
DNS is a Weak Link in Cyber Security Practices
Hackers can use multiple pathways to steal data, but the one that is often unknowingly left open is the DNS, or Domain Name System. DNS is increasingly being used for data exfiltration either by malware-infected devices or by rogue employees. According to a recent DNS security survey of businesses based in North America and Europe, 46 percent of respondents experienced DNS exfiltration and 45 percent experienced DNS tunneling (SC Magazine 2014). DNS is not only used for data leakage, but also to move malicious code into a network. This infiltration is easier than you think. Hackers can prepare a binary, encode it, and transport it past firewalls and content filters via DNS into an organization's network. Hackers send and receive data via DNS—effectively converting it into a covert transport protocol. Data Loss Prevention (DLP) solutions typically look at data leakage via email, web, FTP and other vectors, but don't have visibility into DNS-based exfiltration.
Several methods of threat detection are available today.
-
Reputation - detect known threats, domains that have a bad reputation & use a blacklist to stop those threats. Most security practices rely on vendor supplied blacklists to block known threats.
-
Signature - detect threats based on a known signature or method that they use to communicate. DNS tunneling is the method of tunneling other protocols such as SSH within DNS. DNS tunneling has been around for a long time, and popular toolkits include Iodine, OzymanDNS, SplitBrain, and TCP over DNS. Using a DNS tunnel, malicious actors can also fully and remotely control a compromised internal host or exfiltrate data. Some security practices rely on vendors that block commonly available known toolkits. However if the toolkit is modified by a malicious actor, these solutions no longer recognize the signature and cannot block the attack.
-
Behavorial - detect unknown threats based on behavior. This method uses machine learning AI to detect "unknown unknowns". Some models are continuously trained on trillions of DNS queries generated and collected around the world daily, have much more realistic approach to detect zero day attacks and stop data exfiltration, Domain Generation Algorithms (DGA) and Fast Flux (FFA) threats. Models which are also strengthened by rules around Entropy, Frequency / Size, Lexical Analysis, n-Gram Analysis will go a long way to stop data exfiltration & infiltration.