Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/17/2017
11:00 AM
Hervé Dhélin
Hervé Dhélin
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Tips to Protect the DNS from Data Exfiltration

If hackers break in via the Domain Name System, most business wouldn't know until it's too late. These tips can help you prepare.

The noise of IT staff scrambling to patch system vulnerabilities is a CISO's worst fear — it's the sign that someone somewhere could potentially infiltrate the network. The recent Equifax breach is a reminder that the loss of sensitive data has become too commonplace. Personal records, thought to be under lock and key, are being siphoned out of businesses, and most companies aren't aware until it is too late. Yahoo, Target, Home Depot, and Anthem are a few of the notable recent victims. In July, hackers even seized the latest episodes of Game of Thrones from HBO.

The most insidious path for criminals to mine data is via the Domain Name System (DNS). The DNS protocol is manipulated to act as a "file transfer" protocol and by default is seen as legitimate. Most businesses don't even know that data is being exfiltrated until it is too late.

A recent DNS threat report from EfficientIP revealed that 25% of organizations in the US experienced data exfiltration via DNS, and of those, 25% had customer information or intellectual property stolen. The average time to discover a breach was more than 140 days. Considering that hackers can silently drain about 18,000 credit card numbers per minute via DNS, that's a customer database many times over. In addition, businesses aren't installing the required patches on their DNS servers, either (86% applied only half of what is necessary, according to our report), which makes sense in the case of Equifax, where apparently only one employee was responsible for patches.

Sinister DNS data exfiltration will continue to occur unless businesses play a stronger offense. It's a challenge for organizations to win the cybersecurity battle without a proactive strategy that addresses DNS. Here are three actions to protect the network:

1. Learn how data is exfiltrated via DNS. Commonly, hackers embed data in DNS recursive requests. Then the DNS is leveraged using any public authoritative nameserver, legitimate or not. A small piece of malware slices the data set into small chunks, which are then encoded and submitted to a local DNS resolver. The resolver, tricked to not use its cache, forwards the requests to a compromised authoritative nameserver serving a domain controlled by the attacker, which will receive all emitted queries. These queries, once collected from the logs of the authoritative nameserver, can then be parsed to rebuild the original data set by decoding the labels in the correct order (such as username followed by password).

DNS tunneling abuses the protocol in a similar manner, only it permits two-way communication that bypasses existing network security, allowing hackers to create easy-to-use backdoors. It is less discrete as it requires specific software to be executed on both the client and server sides, but it sets up an IP tunnel through DNS, allowing attackers to leverage known protocols such as SSH or HTTP so they can exfiltrate any data set from a network.

2. Examine, analyze, rinse, repeat. Teams need to monitor DNS traffic and be alerted when irregular requests and responses are moving in and out of the network. Filtration systems can check links against a real-time blacklist and automatically check if a query is trustworthy or represents a risk.

Detection can be accomplished by analyzing payloads and traffic. Attacks can be blocked while avoiding legitimate traffic stops. Payload analysis detects malicious activity based on a single request and its associated responses are analyzed for tunnel indicators. It is resource intensive (which degrades DNS performance) and can generate a lot of false positives. DNS transaction inspection looks at multiple requests and responses over time and analyzes the amount, load, and frequency of those requests per client, permitting threat behavior analysis, utilizing fewer resources, and making businesses less prone to false positives. Traffic analysis provides historical data (number of host names per domain, location of requests, etc.) that can confirm whether exfiltration happened or not, and can block access to malicious domains, but it is not real time so it could be too late.

3. Create an event reaction checklist. If malicious activity is found on the DNS, companies must have a plan to stop and mitigate it. Three crucial components include: First, perform general monitoring and traffic analysis. Internal host or devices shouldn't use an external resolver and bypass network security. Secondly, analyze DNS payload and network traffic on a per-client basis. The security needs to be implemented at the resolver level. Finally, make sure to perform a security assessment to prevent future occurrences. This includes having separate authoritative servers from recursive servers, and also implementing a feed to block known malicious domains.

DNS is a core foundation of the Internet yet increasingly used in attacks to extract valuable data under the radar. Having a robust and layered defense is essential to avoid being the next target. IT departments must also rethink how the infrastructure is secured. Equifax admitted that a flaw wasn't patched for weeks. On average, a company spends more than $2 million per year fixing damage caused by intrusions, including exfiltration, according to our report. With looming regulation (such as the EU's GDPR) that will enforce penalties, the damage will be much higher for those that are breached. Proactive DNS monitoring is a step in the right direction to thwart hackers. 

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Hervé Dhélin is the VP of Strategy at EfficientIP, based out of France. He manages global marketing and strategy with a focus on North America and APAC, the two most important growing regions for EfficientIP. Hervé has more than 30 years of experience ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7245
PUBLISHED: 2020-01-23
Incorrect username validation in the registration processes of CTFd through 2.2.2 allows a remote attacker to take over an arbitrary account after initiating a password reset. This is related to register() and reset_password() in auth.py. To exploit the vulnerability, one must register with a userna...
CVE-2019-14885
PUBLISHED: 2020-01-23
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...
CVE-2019-17570
PUBLISHED: 2020-01-23
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue...
CVE-2020-6007
PUBLISHED: 2020-01-23
Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.
CVE-2012-4606
PUBLISHED: 2020-01-23
Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, and 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest operating system to gain elevated privileges.