Maksim Kabakou - Fotolia
Security Think Tank: Firms neglect DNS security at their peril
As attackers begin to use multiple command and control systems to communicate with backdoors and other malware, how can organisations ensure that they detect such methods and that all C&C systems are removed, including “sleepers” designed to be activated at a future date?
The game changed when cyber criminals began seeking remuneration for their black work. In the earliest days of viruses and malware, criminals seemed satisfied with the thrill of simply wreaking havoc. But now they seek returns, so the malware they launch needs to be able to report back from the infiltrated castle, exfiltrating valuable intelligence.
Enter command and control (C&C) communications, the mechanism by which malware can maintain contact with the criminal harbour from which it was launched. As with any good spy, getting out is more important than getting in, and these communication lines are paramount to the success of an attack.
Consequently, criminals have used all manner of devious and innovative means to maintain their C&C communication. A recent experiment pointed to the outlandish extremes that criminals could go to in order to enable the data to leave an infiltrated company. The flash of the hard disc drive was hacked and the LED light used to send out data in a form of rapid Morse code, which was filmed by a drone hovering outside the window. Simple, but devilishly effective.
That said, criminals mostly go for far subtler, low-level means. They also often exfiltrate data at a slow and steady rate in order to remain undetected by a company’s defence systems. These methods vary, but one gaining momentum at the moment is using the domain name system (DNS) to dig the escape tunnel and remove the goods.
It is easy to see why: the DNS must remain open and accessible in order for a network to operate, making it difficult to restrict. And it is a mass of activity, with perhaps a million web requests every single day. Identifying the bad outbound traffic amid the good is a challenging task, not least because malware writers are constantly sharpening their approach and developing ingenious means of covering their tracks.
For example, many malware writers are turning to cloud service providers to host their malware, assuming that IT and security teams will struggle to differentiate between the real and the malicious. There is also evidence that domain generation algorithms are being used to try to confound the security team, communicating via an ever-multiplying number of random domain names to avoid a signature-led approach that can be spotted more easily.
Read more Computer Weekly Security Think Tank articles about malware comms
Thankfully, the good guys have just as many sophisticated methods and tools at their (our) disposal. Machine learning and AI (artificial intelligence) have proven effective in tracking and identifying malicious activity within the DNS as innovative technology is able to spot anomalies within vast and varying datasets, which DNS certainly is. Rather than simply needing to identify the C&C call destination as malicious, AI can analyse behaviour in context, thereby having a better chance of determining the likelihood that it is malicious communication.
It will always remain a battle, but the key takeaway is this: DNS matters. It matters to the criminal and therefore must matter to the corporate cyber security team tasked with stopping sensitive, company-critical data leaving via the open backdoor. That said, too many companies do not pay DNS the attention it deserves, or invest in the expertise and tools necessary to comb the haystack for the needle that could prove damaging. Neglect DNS at your peril – the criminals will not.
