The Domain Name System (DNS) was first standardized in 1984 as a means to generate a readable label for an underlying IP address. DNS enabled the rise of internet commerce and the use of business networks as we know them today.
To this day it remains very easy for anyone to inexpensively buy a domain name, obtain an IP address and set up a host server. This also makes it just as easy for the criminally-minded to use domains and IP addresses with malicious intent.
For instance, manipulation of a targeted company’s name for malicious purposes is something cyber-criminals now do routinely. By registering domains that slightly alter an organization’s legitimate domain name, or by redirecting someone trying to navigate to that company’s website to a rogue server, cyber-criminals can execute an array of scams, such as phishing, click fraud, brandjacking or typosquatting.
Virtually all of this steady flow of malicious activity, aimed squarely at companies, leverages the central role DNS plays in facilitating internet traffic. Take, for example, botnets: the infected computing nodes, or bots, that stand at the ready to respond to instructions from a controller have to get their commands from somewhere. Bots periodically beacon out to domains created expressly for the purpose of delivering next level attack commands.
Or take the example of a spear phishing email sent to a specific employee as part of an attempt to infiltrate a targeted company. Such a campaign may rely on a series of spoofed domains as part of the social engineering component of the attack.
In either case – botnet deployment or phishing campaign – the attacker typically will set up dozens, hundreds or even thousands of malicious domains to stay one step ahead of detection systems and blacklists. Ultimately, each one of these malicious domains will tie back a smaller subset of related IP addresses that the attacker has likewise gone through some pains to keep resilient and hidden.
With this in mind, a fresh approach security analysts are taking is pursuing DNS and domain-based intelligence. This is when you correlate instances of certain parties registering new domains and IP addresses to the subsequent deployment of those assets in malicious activities.
It starts at a place where attackers invariably leave the most revealing clues: in Whois records containing information about the registered users or assignees of each domain name and IP address block.
Pursuing Domain Intelligence in Action
In May 2016, a UK-based online casino retained Horizon Forensics to get to the bottom of a data breach and an ensuing cash-out scheme that had, to that point, caused the casino to lose tens of millions of dollars of betting revenue.
Investigators Peter Allwright and Dean Olberholzer began with these facts: someone had obtained the head of security’s logon and used it to gain access to the casino’s customer database to steal email addresses and betting records. Subsequent to that data theft, a casino marketing affiliate began sending emails to the UK casino’s high rollers, enticing those bettors to switch their patronage to rival casinos.
Using the stolen email addresses, this affiliate offered the UK casino’s customers cash incentives to make the switch, and then would earn up at a 30% cut of whatever the gambler subsequently bet on the rival site. Meanwhile, the UK casino lost all of that revenue.
Olberholzer began by examining registration information for the IP and email addresses the affiliate used to make the marketing pitches. Using DNS data, Olberholzer was able to quickly correlate unique IP and email identifiers to recently registered domain names.
He learned that the names, addresses and telephone numbers used for the IP and email addresses were all fictitious. Even so, this affiliate had no trouble setting up a sprawling matrix of hundreds of shell-company domains all tied to the same subset of IP and email addresses.
Anticipating that someone like Oberholzer might come nosing around, the affiliate also took the added precaution of using the Moniker privacy service to anonymize registration details for each of the hundreds of domains under his control.
To overcome that roadblock, Olberholzer began correlating the affiliate’s email addresses to all domains ever registered, in reverse chronological order. He also began to correlate information from other sources, such as Google AdSense, AdWords and Analytics, as well as Facebook and Skype. By taking a domain-centric approach to the investigation, he was ultimately able to insert the affiliate into a detailed relationship-flow chart. Findings included:
- The affiliate’s true identity and his location in Israel
- Cash flowed from casinos to affiliates to bank accounts in Cyprus, Seychelles and Panama
- A kingpin and his second-in command, based in Thailand
- Several other casinos based outside of the UK had also been breached and victimized by switch schemes
- An aggregate revenue loss of $500 million sustained by the targeted casinos
Taking a DNS-centric approach to unravelling sophisticated attacks can connect the dots quickly, as more and more security professionals are discovering. This methodology blends the analyst’s experience and intuition with the outputs of whatever security systems the organization happens to have up and running, as well as other public sources of information, to develop customized, relevant threat intelligence.
At a time when outside sources of threat intelligence can be overwhelming, the “roll your own” approach can often make a lot of sense and, counterintuitively perhaps, can be a time-saver.