Comments
7 Ways to Keep DNS Safe
Newest First  |  Oldest First  |  Threaded View
davidredekop
50%
50%
davidredekop,
User Rank: Apprentice
7/12/2018 | 10:56:21 PM
What if everybody did it
Curtis, I always enjoy watching you on TWIET, thanks for this article. Well thought out!

Your tweet asked "What would you add to the list?" on your tweet. I'd add that a very simple but powerful technique is to force DNS to an on-premise service. It's technically hijacking, but with a positive outcome. You don't allow any endpoints to make Internet-bound DNS queries but instead force them to use local DNS server(s). The designated servers are the only ones able to make recursive or upstream queries.

This has the simple effect of *preventing* participation in any DNS reflection attack. We do this as a basic standard at www.adamnet.works for all of our products.

By the way, the same thing should be done for NTP since it's also a very common protocol used by endpoints and abused for UDP reflection attacks.

Hijacking NTP and DNS, if it were done as a basic standard on Internet exit points, would disable all future reflection attacks attempting to use those protocols and their respective public servers.
No SOPA
50%
50%
No SOPA,
User Rank: Ninja
7/10/2018 | 4:02:11 PM
Efficient Malicious Packet Capture Through Advanced DNS Sinkhole
I read a great paper titled "Efficient Malicious Packet Capture Through Advanced DNS Sinkhole" (Hyun Mi Jung, Haeng Gon Lee, Jang Won Choi). It caught my eye by stating in the Abstract that among the current botnet countermeasures, "DNS sinkhole is known as the best practice in the world."

Like anything that is based on the collection and analysis of data, however, it seems that, to be most effective, one might have to get hardware to cope with the overhead, which would go against the idea in this article that you won't have to run out and start spending money for hardware. That overhead comes from critical elements in this model, though, that make it ideal and useful to both the whole InfoSec community and organizations looking to be more proactive in their security planning.

In brief, as described by this paper, you'd have a combination of systems that monitor, analyze and detect, then re-direct as necessary. So, if an organization has a PC that is infected by a malicious bot in a target security control agency AND initializes a connection to a command and control (C&C) system (the malicious controller of the bot), that traffic is detected as part of the monitored traffic at the target organization, and then redirected to a DNS sinkhole server rather than the real DNS server. The catch is the incoming traffic has to be recognized as part of a malicious domain (or identified as one realtime with AI support and access to a database of profiles such as this project collects). When those queries go to the sinkhole server {in this paper's model, at least), they are routed through the Korea Research Environment Open NETwork (KREONET) and the target organization's Threat Management System (TMS). The point of this is to collect all the traffic from the zombie PC with the bot into a log to better understand its purpose, collect intel on the bot and develop a profile of the attacker.

Sinkholes have been used to help thwart WannaCry and Avalanche threats. I'm not sure how sophisticated those sinkholes were, but as defined in this paper, probably not every organization could implement such an architecture. But as malicious bots, whether stationed on remote web servers or installed via malware on PCs, become rampant, this model of redirection and analysis, and ideally data sharing among the InfoSec community, is more crucial than ever to keep threats minimized and to better arm the InfoSec community as a whole.


High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15380
PUBLISHED: 2019-02-20
A vulnerability in the cluster service manager of Cisco HyperFlex Software could allow an unauthenticated, adjacent attacker to execute commands as the root user. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by connecting to the cluster serv...
CVE-2019-3474
PUBLISHED: 2019-02-20
A path traversal vulnerability in the web application component of Micro Focus Filr 3.x allows a remote attacker authenticated as a low privilege user to download arbitrary files from the Filr server. This vulnerability affects all versions of Filr 3.x prior to Security Update 6.
CVE-2019-3475
PUBLISHED: 2019-02-20
A local privilege escalation vulnerability in the famtd component of Micro Focus Filr 3.0 allows a local attacker authenticated as a low privilege user to escalate to root. This vulnerability affects all versions of Filr 3.x prior to Security Update 6.
CVE-2019-10030
PUBLISHED: 2019-02-20
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.52 and earlier in RejectASTTransformsCustomizer.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.
CVE-2019-10030
PUBLISHED: 2019-02-20
A exposure of sensitive information vulnerability exists in Jenkins Cloud Foundry Plugin 2.3.1 and earlier in AbstractCloudFoundryPushDescriptor.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through anoth...