RISKS AND THREATS
DNS is one of the core protocols present in any organization and across the Internet that was designed with a lot of flexibility yet little security in mind. It is also one of the least controlled protocols on the corporate network: firewalls and other network active defense tools only relay the DNS packets and do not perform any analysis on Data that is sent in the DNS packets. Implementation of DNS DPI controls is rather uncommon, relatively costly and can also affect latency of the DNS response that may slow down communications. The core risk comes from DNS extra capabilities that allow to include additional Data in DNS requests such as TXT fields that can contain any data or to abuse protocol for Data transmission. This makes DNS protocol a perfect vector of attack that bypasses all traditional network defenses.
DNS SECURITY CHECK IS A SIEM USE CASE
DNS Security Check is a straightforward SIEM Use Case that easily finds DNS Misconfigurations and anomalies in corporate networks. Methods to transfer non-DNS data over the protocol are called DNS tunneling and allow to obfuscate and transmit botnet C2 traffic or slowly exfiltrate data. DNS Security Check is a first and easy step towards DNS security in any organization. It detects, provides visual display and automatic alerts on the DNS packets addressed to non-corporate DNS servers, unusually large DNS packet sizes and even potential Fast-Flux DNS botnet traffic. It is certainly a benchmark to find big problems and serve as early warning and a hint towards proper Mitigation, Detection and Prevention techniques and technologies. From Cyber Kill Chain perspective, DNS Security Check finds incidents at C2 and Actions on Objectives phases.
Many threats related to DNS protocol abuse can be mitigated by secure network design.
CISO TACTICAL BRIEF
For general local area networks and Internet DNS is absolutely needed. There are several things you can do to improve your security:
- Correct network segmentation needs to be implemented to prevent DNS-based attacks. No direct DNS requests should be allowed from desktops or mobile systems, they should only be allowed to talk to Web Security Gateway / Proxy server.
- A SIEM technology combined with DNS Security Check Use Case can provide detection and automatic alerting capabilities at Command and Control (C2) and Action on Objectives phases as well as IT misconfigurations.
- Application Whitelisting can block malware that leverages DNS tunneling at Installation phase.
- As additional measures on top of the SIEM, technologies that are more sophisticated based on DPI, Advanced DNS Malware Analytics, Machine Learning and Threat Intelligence can be leveraged to uncover details of transferred data, pinpoint malicious traffic to specific malware families, reconstruct documents and DNS sessions.
DNS SECURITY CHECK REPORT FROM THE FIELD
The package started to work immediately. We downloaded and installed it with a minimum effort for configuration. Within an hour the package showed a typical distribution of DNS traffic in our network and revealed suspicious activity on a number of hosts. We downloaded the data for further in-depth analysis of suspicious hosts. Along the way, we found misconfiguration of the network equipment, information about it has been handed over to the IT department. DNS Security Check also allowed us to monitor the remediation of these issues", head of IT security department at a large telecom.