How businesses can defend their network from APTs that exploit DNS
No company was too big, and no sector of industry went untouched by the effects of malware and APT breaches in 2014. And with high profile breaches grabbing headlines, including those at JP Morgan and Community Health, few could have missed their significant consequences over the past year.
APTs (advanced persistent threats) stealthily spread, mutate and conceal themselves within an organisation’s IT infrastructure. Created with the aim of carrying out long term attacks, APTs represent a significant threat to both the privacy and security of corporate data.
Despite a clear rise in consciousness regarding the threat of cyber-crime, many organisations still remain oblivious to and aren’t reacting to mitigate against APTs and malware which use their organisation’s Domain Name System (DNS) as a means of communication. This being doing so, not only are they leaving their company open to attack, but they’re also overlooking the best tool they have at their disposal to combat these threats: the DNS itself.
Do not underestimate DNS
The evolution of DNS over the past three decades has led to it becoming the most fundamental component of the internet. DNS is crucial for every business to function, from enabling email and VoIP, which have taken over as the most prominent methods of enterprise communication, to just keeping a website online.
It is unsurprising, therefore, that given its important role, DNS has become an increasingly attractive target for cyber attackers.
A business would be unable to function should its DNS go down. It would place the organisation at risk of being compromised, which can have a significant impact on its reputation and bottom line should any subsequent data breach occur.
To make matters worse, DNS is relatively easy to exploit. When it was first developed more than 30 years ago as a high performance data transfer protocol, few could have predicted that it would later become a target for cyber criminals.
It is therefore of critical importance to an organisation to secure DNS to maintain the overall security of its network. Organisations need to start taking the health of their DNS more seriously.
Yet many businesses remain completely unprepared to detect and mitigate against these threats, as traditional security methods are typically ineffective against the attack vectors which deploy DNS. For example, firewalls and IPS devices tend to leave port 53 open to allow DNS traffic to come in, which means that very few incoming queries are inspected, leaving the door wide open for malware and APTs to access the corporate network.
DNS at every step
DNS is not only an attractive target to hackers, but it can play an important part in each stage of an APT attack.
To initially infect a system, an attacker tends to use one of three method, of which two – phishing attacks and watering hole attacks – rely on DNS. This demonstrates the importance of ensuring DNS security for rejecting suspicious and malicious content.
This infection’s primary function is to exploit known zero-day vulnerabilities. The real APT, which carries out the attacker’s malicious intent will, in most cases, be downloaded by the initial malware from a command & control (C&C), or a remote server, or botnet location, using DNS.
Once the APT is downloaded and installed, it then works to disable the antivirus and other security software installed on the computer, a task often found to be worryingly simple. The APT will then start gathering data from its victim computer and any connected LAN, before exploiting the DNS to contact a C&C server for its next steps.
A successful APT can identify terabytes of valuable data for the attackers. This data may simply then be transferred via the same C&C servers from which the APT previously received its instructions. This may not always be possible, however, if the bandwidth and storage capacities of intermediate servers are insufficient to export it in a timely fashion. But with more steps used when transferring the data leading to a greater chance of someone noticing, the APT seeks to avoid this by using DNS to directly contact a different server, uploading the information into a type of “dropbox”.
Secure from the core
Not only can the DNS be easily exploited for nefarious purposes, but it is frequently used to enable APT attacks. Organisations need to be mindful of DNS to ensure they do not leave themselves open to these attacks by overlooking it in their current security policies. Deploying a DNS firewall, for example, enables organisation to capitalise on their DNS to block an APT attack at any stage.
As cyber criminals tend to trust only a small number of intermediate servers and networks, which they will then use over and over again, the chances are significantly increased that at least part of the server infrastructure the attackers are using can be identified and blocked.
It is this infrastructure-specific insight which enables a DNS firewall to thwart the malware and APTs which can escape traditional firewalls
We all know that understanding a problem is essential to solving it – and that is no different with regards to cyber security. Understanding how DNS can be exploited to exfiltrate information is half way to securing it.
As long as businesses remain clueless and unreactive to this attack vector, we will only see an increase in the number of APTs using DNS for malicious purposes.
Securing DNS is essential to reduce the risk of the damaging consequences of APTs. Businesses who keep their head in the sand are not only ignoring a significant threat but neglecting the best defence in their arsenal to combat it.
By Chris Marrison, consulting solutions architect, Infoblox
About Infoblox
Infoblox (NYSE:BLOX) delivers network control solutions, the fundamental technology that connects end users, devices, and networks. These solutions enable approximately 7,500 enterprises and service providers to transform, secure, and scale complex networks. Infoblox helps take the burden of complex network control out of human hands, reduce costs, and increase security, accuracy, and uptime. Infoblox is headquartered in Santa Clara, California, and has operations in over 25 countries.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.