Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/17/2017
11:00 AM
Herv Dhlin
Herv Dhlin
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Tips to Protect the DNS from Data Exfiltration

If hackers break in via the Domain Name System, most business wouldn't know until it's too late. These tips can help you prepare.

The noise of IT staff scrambling to patch system vulnerabilities is a CISO's worst fear — it's the sign that someone somewhere could potentially infiltrate the network. The recent Equifax breach is a reminder that the loss of sensitive data has become too commonplace. Personal records, thought to be under lock and key, are being siphoned out of businesses, and most companies aren't aware until it is too late. Yahoo, Target, Home Depot, and Anthem are a few of the notable recent victims. In July, hackers even seized the latest episodes of Game of Thrones from HBO.

The most insidious path for criminals to mine data is via the Domain Name System (DNS). The DNS protocol is manipulated to act as a "file transfer" protocol and by default is seen as legitimate. Most businesses don't even know that data is being exfiltrated until it is too late.

A recent DNS threat report from EfficientIP revealed that 25% of organizations in the US experienced data exfiltration via DNS, and of those, 25% had customer information or intellectual property stolen. The average time to discover a breach was more than 140 days. Considering that hackers can silently drain about 18,000 credit card numbers per minute via DNS, that's a customer database many times over. In addition, businesses aren't installing the required patches on their DNS servers, either (86% applied only half of what is necessary, according to our report), which makes sense in the case of Equifax, where apparently only one employee was responsible for patches.

Sinister DNS data exfiltration will continue to occur unless businesses play a stronger offense. It's a challenge for organizations to win the cybersecurity battle without a proactive strategy that addresses DNS. Here are three actions to protect the network:

1. Learn how data is exfiltrated via DNS. Commonly, hackers embed data in DNS recursive requests. Then the DNS is leveraged using any public authoritative nameserver, legitimate or not. A small piece of malware slices the data set into small chunks, which are then encoded and submitted to a local DNS resolver. The resolver, tricked to not use its cache, forwards the requests to a compromised authoritative nameserver serving a domain controlled by the attacker, which will receive all emitted queries. These queries, once collected from the logs of the authoritative nameserver, can then be parsed to rebuild the original data set by decoding the labels in the correct order (such as username followed by password).

DNS tunneling abuses the protocol in a similar manner, only it permits two-way communication that bypasses existing network security, allowing hackers to create easy-to-use backdoors. It is less discrete as it requires specific software to be executed on both the client and server sides, but it sets up an IP tunnel through DNS, allowing attackers to leverage known protocols such as SSH or HTTP so they can exfiltrate any data set from a network.

2. Examine, analyze, rinse, repeat. Teams need to monitor DNS traffic and be alerted when irregular requests and responses are moving in and out of the network. Filtration systems can check links against a real-time blacklist and automatically check if a query is trustworthy or represents a risk.

Detection can be accomplished by analyzing payloads and traffic. Attacks can be blocked while avoiding legitimate traffic stops. Payload analysis detects malicious activity based on a single request and its associated responses are analyzed for tunnel indicators. It is resource intensive (which degrades DNS performance) and can generate a lot of false positives. DNS transaction inspection looks at multiple requests and responses over time and analyzes the amount, load, and frequency of those requests per client, permitting threat behavior analysis, utilizing fewer resources, and making businesses less prone to false positives. Traffic analysis provides historical data (number of host names per domain, location of requests, etc.) that can confirm whether exfiltration happened or not, and can block access to malicious domains, but it is not real time so it could be too late.

3. Create an event reaction checklist. If malicious activity is found on the DNS, companies must have a plan to stop and mitigate it. Three crucial components include: First, perform general monitoring and traffic analysis. Internal host or devices shouldn't use an external resolver and bypass network security. Secondly, analyze DNS payload and network traffic on a per-client basis. The security needs to be implemented at the resolver level. Finally, make sure to perform a security assessment to prevent future occurrences. This includes having separate authoritative servers from recursive servers, and also implementing a feed to block known malicious domains.

DNS is a core foundation of the Internet yet increasingly used in attacks to extract valuable data under the radar. Having a robust and layered defense is essential to avoid being the next target. IT departments must also rethink how the infrastructure is secured. Equifax admitted that a flaw wasn't patched for weeks. On average, a company spends more than $2 million per year fixing damage caused by intrusions, including exfiltration, according to our report. With looming regulation (such as the EU's GDPR) that will enforce penalties, the damage will be much higher for those that are breached. Proactive DNS monitoring is a step in the right direction to thwart hackers. 

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Hervé Dhélin is the VP of Strategy at EfficientIP, based out of France. He manages global marketing and strategy with a focus on North America and APAC, the two most important growing regions for EfficientIP. Hervé has more than 30 years of experience ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15540
PUBLISHED: 2019-08-25
filters/filter-cso/filter-stream.c in the CSO filter in libMirage 3.2.2 in CDemu does not validate the part size, triggering a heap-based buffer overflow that can lead to root access by a local Linux user.
CVE-2019-15538
PUBLISHED: 2019-08-25
An issue was discovered in xfs_setattr_nonsize in fs/xfs/xfs_iops.c in the Linux kernel through 5.2.9. XFS partially wedges when a chgrp fails on account of being out of disk quota. xfs_setattr_nonsize is failing to unlock the ILOCK after the xfs_qm_vop_chown_reserve call fails. This is primarily a ...
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.