Protecting networks from DNS exfiltration

DNS exfiltrationEveryone around the globe has heard about the colossal Equifax breach last month. Its implications haven’t yet been fully calculated except now that the CEO has resigned from his job, we know it’s serious. However, one fact is clear – the data was exfiltrated by hackers. This isn’t the first time sensitive information has been pumped out of a big company – Anthem, Target, Home Depot, Yahoo are a handful of the recognizable victims of theft in the last few years.

Data exfiltration is how hackers siphon out valuable intelligence from a business. Oftentimes the most insidious path is through the Domain Name System (DNS). The DNS protocol is manipulated to act as a ‘file transfer’ protocol, and by default is seen as legitimate. Most businesses don’t even know it is happening until it is too late.

A recent DNS threat report revealed that 25% of surveyed businesses in the U.S. have experienced data exfiltration via DNS, and of those 14 percent had sensitive customer information pilfered while 11 percent had intellectual property stolen. Most aren’t installing the required patches on their DNS servers either (86% only applied half of what is necessary). Organizations need to start working on the offensive to identify and stop exfiltration or else they can add their brand to list of names that have been afflicted.

What are the signs that a business should look out for and how can organizations protect their networks from DNS exfiltration?

Know how DNS is used to exfiltrate data

Hackers commonly embed data in DNS recursive requests. This allows for the DNS to be leveraged using any public Nameserver – legitimate or not. A small piece of code, likely embedded in malware on the client machine, slices the data set to be extracted into small chunks. These chunks are encoded with the label part of generated DNS queries, which are submitted to the local DNS Resolver. The Resolver forwards the request to the Nameserver of the domain – which is controlled by the attacker because the generated queries are not cached.

These queries can be easily identified in the logs of any DNS Nameserver and then parsed to rebuild the original data set by decoding the labels in the correct order.

Another way of exfiltrating data is via DNS tunneling. It makes use of the same protocol abuse. It allows for two-way communication that bypasses network security and creates a backdoor. It is less discrete and requires specific software to be executed on both the client and the server. It makes use of standard protocols (ftp, scp and tftp) to export the gathered data outside the network within DNS traffic. It also encodes data in alternate names for servers so hackers get a command and control center for their tools. It’s typically slower than the first solution, but it can be used to mine high value data such as social security numbers, credit card numbers or other documents that can then be sold.

Recognize suspect DNS traffic

Businesses need to be aware of irregular requests and responses that are moving in and out of the network. First, companies should analyze payloads. Malicious activity can possibly be detected by analyzing any single request and its associated response. However, reviewing transaction data and looking for specific patterns in traffic in real time can spot tunnel indicators. These allow for attacks to be blocked as soon as they are spotted without blocking legitimate traffic stops. Secondly, unauthorized traffic is a key to determining if your business is potentially having data exfiltrated.

Traffic analysis looks at multiple requests and responses over time and analyzes the amount, load and frequency of those requests – which can also indicate tunneling. Traffic analysis provides historical data (number of host names per domain, location of requests, etc.) that can confirm whether exfiltration happened or not. Businesses should also utilize DNS filtration systems that can check links against a real time blacklist and automatically check if a DNS query is trustworthy or represents a risk of data theft.

Develop an incident response checklist

In the event that malicious activity is found, it is important to act quickly and have a plan in place to stop and mitigate the breach. Three important components should be included: first, make sure you are performing both general network monitoring and traffic analysis of the DNS. Section off the DNS so internal hosts cannot resolve external domains. Secondly, analyze both DNS payload and network traffic on a per client basis and make sure you can handle the resolution of external domains. Lastly, make sure your business performs a security assessment to prevent future breaches. This includes having a separate set of recursive servers configured to resolve external records.

DNS is a core foundation of the Internet yet is increasingly used to conduct attacks, particularly to extract valuable data. We see it day in and out and businesses continue to be unaware of their exposure. Having a robust and layered defense is essential. Businesses must evolve their level of security sophistication because without it, hackers win.

Don't miss