As we know, if it wasn’t for DNS, you wouldn’t be reading this. DNS is a fundamental part of our organisations’ ability to function and therefore we need to secure it.
DNS is becoming a more common target of network attacks. As one of the oldest and most relied-upon protocols of the modern Internet, DNS is utilised by almost all other services and protocols, making it an appealing target to attackers. Because it is one of the most relied-on protocols, stopping attacks can’t be as simple as adding a firewall rule.
In DNS attacks, the two primary attack types are Authoritative attacks and Caching Recursive attacks. Authoritative attacks include DDoS attacks, Amplification attacks, or Reflection attacks (to name a few), and Caching Recursive attacks, such as Cache Poisoning attacks or DNS Hijacking attacks.
Over the coming months I will write about some of the various attacks, however in this blog I am going to concentrate on one type of attack - Data Exfiltration.
Every organisation has data they are trying to protect, whether that’s a law firm protecting client data, a manufacturer protecting IP, or a healthcare organisation protecting sensitive medical information. Many organisations are well versed in various DLP techniques/solutions, but exfiltration by DNS is often missed.
How DNS Data Exfiltration Works
The best way I have seen this explained, is from our partner Infoblox:
DNS Data Exfiltration is like stealing someone’s car without opening the garage door: You have to break the car down into small chunks that fit through the doors and windows, and then rebuild the car outside. Except in the case of data exfiltration, the malware breaks down files, sometimes even encrypting each chunk, before sneaking them off your premises to reassemble.
An example of this in action:
The attacker registers the domain name JVIRVR89VJPK.COM, and sets up name server NS1. JVIRVR89VJPK.COM
The infected client encodes stolen information, in this case, the text “Pa$$w0rd”, into “UGEKJHCWCMQK”
The client makes the DNS query for the domain with the encoded password as a subdomain: UGEKJHCWCMQK.JVIRVR89VJPK.COM
A recursive name server finds the authoritative name server NS1. JVIRVR89VJPK.COM and sends the query there.
The attacker recognizes the subdomain value as the encoded password. The attacker decodes the information UGEKJHCWCMQK back to recover “Pa$$w0rd”
How to Detect DNS Exfiltration
The challenge here is the speed attackers can change; they may have used JVIRVR89VJPK.COM in the above example, but this could easily have been IJVER0JVPFVMJNLFK.COM, and with the attackers using DGA (Domain Generation Algorithm) to automatically generate domains, it is impossible for humans to detect and block quick enough. The data would be stolen long before.
Therefore, we need to utilise the power of the cloud. The amount of resource available in the cloud allows us to use this compute, along with machine-learning, to detect and block this malicious activity efficiently, before the attacker has managed to steal the data.
Want to test your environment?
We have a tool that allows us to test if we could remove data from your network using DNS, we recommend using fake data such as a few lines of made up credit card numbers rather than any real data. This is a great way of knowing if you could be impacted and building a business case for investment in this area of your security posture.
Get in contact if you would like to know more or test this on your network.