Securing DNS is crucial to mitigating APTs. Businesses that don’t are neglecting their best defense says Chris Marrison
From banks to healthcare providers, no industry is safe from the effects of malware and advanced persistent threats (APTs). Spreading and mutating while concealed within your IT infrastructure, APTs are long-term attacks, representing a substantial threat to corporate data.
Although malware and APTs will commonly use an organization’s domain name system (DNS) as a means of communication, many companies aren’t taking the precautions necessary to detect and mitigate these attacks. They’re also overlooking their best tool for combatting such threats: the DNS itself.
The Importance of DNS
DNS has evolved over three decades to become arguably the most fundamental part of the internet. Every business needs DNS to function, whether keeping its website online, or for communication via email or VoIP. Given the significant role it plays, it’s perhaps little surprise that DNS is an attractive target for cyber-criminals. If it goes down, businesses grind to a halt.
What’s more, DNS is relatively easy to exploit. When it was developed 30 years ago, no one would have foreseen its use as an attack vector. Securing DNS is, therefore, of critical importance.
Traditional protection, however, is ineffective, meaning that many businesses are unprepared for DNS-based threats. With firewalls and IPS devices tending to leave port 53 open to allow DNS traffic in, for example, very few incoming queries will be inspected, leaving the door open for APTs and malware.
APTs and DNS
DNS can play a key role in every stage of an APT attack. An attacker will generally use one of three methods for infecting a system, two of which – phishing attacks and watering hole attacks – rely on DNS, highlighting the importance of ensuring its security.
The initial infection primarily exploits zero-day vulnerabilities. The attacker’s malicious intent will be carried out by the real APT which, in most cases, will be downloaded by the initially installed malware remotely using DNS.
Once downloaded and installed, the APT will set about disabling antivirus or similar security software on the target computer, a task that is generally worryingly simple. Next the APT will gather preliminary data from its victim and any connected LAN, before using DNS to contact a C&C server for instructions.
If successful, an APT may identify terabytes of valuable data. This data may simply be exported via the C&C servers, although the bandwidth and storage capacities of some intermediate servers may not be sufficient for transmitting the data in a timely fashion. This increases the likelihood of someone noticing. To avoid this, the APT will often use DNS to directly contact a different server, uploading all of the data at once into a form of dropbox.
Keeping DNS secure
Not only can DNS be easily exploited, but it is often used to enable APT attacks, illustrating the importance of making sure it stays protected – something often overlooked. Deploying a DNS firewall, for example, will enable an organization to use its DNS to block an APT attack at any stage, temporarily or permanently.
Cyber-criminals trust a relatively small number of intermediate servers and networks, which they will tend to re-use, increasing the chances that some, or all, of the server infrastructure used by attackers can be identified and then blocked. This infrastructure-specific insight provides a DNS firewall with the ability to thwart APTs and similar malware in ways that traditional firewalls cannot.
By understanding a threat, a business is already halfway to being secure against attack. Understanding the threat to DNS, however, seems to have passed many businesses by. Until it is taken seriously as an attack vector, an increasing number of APTs will use DNS for malicious purposes.
About the Author
Chris Marrison is consulting solutions architect at Infoblox. Chris has over 21 years of experience in the IT industry. Prior to joining Infoblox, Chris was responsible for building the core internet services for Virgin.Net, Which Online, and NTLWorld, before moving to a business-oriented ISP which specialised in providing value-added services to multi-tenant buildings funded by Canary Wharf Group, British Land and others.