Risk
11/17/2017
11:00 AM
Herv Dhlin
Herv Dhlin
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Tips to Protect the DNS from Data Exfiltration

If hackers break in via the Domain Name System, most business wouldn't know until it's too late. These tips can help you prepare.

The noise of IT staff scrambling to patch system vulnerabilities is a CISO's worst fear — it's the sign that someone somewhere could potentially infiltrate the network. The recent Equifax breach is a reminder that the loss of sensitive data has become too commonplace. Personal records, thought to be under lock and key, are being siphoned out of businesses, and most companies aren't aware until it is too late. Yahoo, Target, Home Depot, and Anthem are a few of the notable recent victims. In July, hackers even seized the latest episodes of Game of Thrones from HBO.

The most insidious path for criminals to mine data is via the Domain Name System (DNS). The DNS protocol is manipulated to act as a "file transfer" protocol and by default is seen as legitimate. Most businesses don't even know that data is being exfiltrated until it is too late.

A recent DNS threat report from EfficientIP revealed that 25% of organizations in the US experienced data exfiltration via DNS, and of those, 25% had customer information or intellectual property stolen. The average time to discover a breach was more than 140 days. Considering that hackers can silently drain about 18,000 credit card numbers per minute via DNS, that's a customer database many times over. In addition, businesses aren't installing the required patches on their DNS servers, either (86% applied only half of what is necessary, according to our report), which makes sense in the case of Equifax, where apparently only one employee was responsible for patches.

Sinister DNS data exfiltration will continue to occur unless businesses play a stronger offense. It's a challenge for organizations to win the cybersecurity battle without a proactive strategy that addresses DNS. Here are three actions to protect the network:

1. Learn how data is exfiltrated via DNS. Commonly, hackers embed data in DNS recursive requests. Then the DNS is leveraged using any public authoritative nameserver, legitimate or not. A small piece of malware slices the data set into small chunks, which are then encoded and submitted to a local DNS resolver. The resolver, tricked to not use its cache, forwards the requests to a compromised authoritative nameserver serving a domain controlled by the attacker, which will receive all emitted queries. These queries, once collected from the logs of the authoritative nameserver, can then be parsed to rebuild the original data set by decoding the labels in the correct order (such as username followed by password).

DNS tunneling abuses the protocol in a similar manner, only it permits two-way communication that bypasses existing network security, allowing hackers to create easy-to-use backdoors. It is less discrete as it requires specific software to be executed on both the client and server sides, but it sets up an IP tunnel through DNS, allowing attackers to leverage known protocols such as SSH or HTTP so they can exfiltrate any data set from a network.

2. Examine, analyze, rinse, repeat. Teams need to monitor DNS traffic and be alerted when irregular requests and responses are moving in and out of the network. Filtration systems can check links against a real-time blacklist and automatically check if a query is trustworthy or represents a risk.

Detection can be accomplished by analyzing payloads and traffic. Attacks can be blocked while avoiding legitimate traffic stops. Payload analysis detects malicious activity based on a single request and its associated responses are analyzed for tunnel indicators. It is resource intensive (which degrades DNS performance) and can generate a lot of false positives. DNS transaction inspection looks at multiple requests and responses over time and analyzes the amount, load, and frequency of those requests per client, permitting threat behavior analysis, utilizing fewer resources, and making businesses less prone to false positives. Traffic analysis provides historical data (number of host names per domain, location of requests, etc.) that can confirm whether exfiltration happened or not, and can block access to malicious domains, but it is not real time so it could be too late.

3. Create an event reaction checklist. If malicious activity is found on the DNS, companies must have a plan to stop and mitigate it. Three crucial components include: First, perform general monitoring and traffic analysis. Internal host or devices shouldn't use an external resolver and bypass network security. Secondly, analyze DNS payload and network traffic on a per-client basis. The security needs to be implemented at the resolver level. Finally, make sure to perform a security assessment to prevent future occurrences. This includes having separate authoritative servers from recursive servers, and also implementing a feed to block known malicious domains.

DNS is a core foundation of the Internet yet increasingly used in attacks to extract valuable data under the radar. Having a robust and layered defense is essential to avoid being the next target. IT departments must also rethink how the infrastructure is secured. Equifax admitted that a flaw wasn't patched for weeks. On average, a company spends more than $2 million per year fixing damage caused by intrusions, including exfiltration, according to our report. With looming regulation (such as the EU's GDPR) that will enforce penalties, the damage will be much higher for those that are breached. Proactive DNS monitoring is a step in the right direction to thwart hackers. 

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Hervé Dhélin is the VP of Strategy at EfficientIP, based out of France. He manages global marketing and strategy with a focus on North America and APAC, the two most important growing regions for EfficientIP. Hervé has more than 30 years of experience ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Gee, these virtual reality goggles work great!!! 
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.