Nominum, now part of Akamai, Data Science just released a new Data Science and Security report that investigates the largest threats affecting organizations and individuals, including ransomware, DDoS, mobile device malware, IoT-based attacks and more. Below is an excerpt.
October 21, 2016, was a day many security professionals will remember. Internet users around the world couldn't access their favorite sites like Twitter, Paypal, The New York Times, Box, Netflix and Spotify, to name a few. The culprit: a massive Distributed Denial of Service (DDoS) attack against a managed Domain Name System (DNS) provider not well-known outside technology circles. We were quickly reminded how critical the DNS is to the internet as well as its vulnerability. Many theorize that this attack was merely a Proof of Concept, with far bigger attacks to come.
The DNS is often misused by cybercriminals for their attacks. As the DNS supplier to service providers serving over one-third of the world's internet subscribers, Nominum has a unique vantage point from which to investigate internet security threats. Nominum Data Science analyzes over 100 billion DNS queries per day from live DNS query streams around the world to detect emerging threats before they become publicly visible.
Based on analysis of 15 trillion DNS queries between April 1 and August 31 in 2016, the report also aims to provide a timely snapshot of the security landscape between the publishing windows of the semi-annual and mid-year reports from other security vendors.
Some key findings:
- Nominum, now part of Akamai, sees over 5 million new domains queried daily, the vast majority of which are malicious yet unknown to security vendors.
- The majority of command and control infrastructure is hosted in the U.S.
- Botnet command and control activity jumped in August, driven by Necurs, the most wide-spread botnet family.
- The number of infected IoT devices surged, driven by a 131 percent increase in the Mirai botnet in less than two weeks from when its source code was released.
- The Mirai botnet is continuously executing DNS attacks, perhaps presaging another big attack.
DNS and Security
This inaugural edition of the Nominum Data Science Security Report comes from the frontlines of the war against cybercrime and breaks down the cyberthreat landscape as it relates to DNS. DNS, often thought of as the phone book of the internet, associates names (e.g., Nominum.com) with an IP address. Because of its ubiquity (virtually all internet lookups depend on it) DNS offers an ideal platform for cybercriminals to launch and manage a wide range of exploits. In fact, 91% of malware uses DNS. Thus, thorough examination of DNS data provides unique insight into the patterns and techniques of cybercriminals.
DNS security has two distinct meanings. First, DNS is mission-critical infrastructure that all organizations rely on and cannot function without. Yet DNS remains a vulnerable component in the network that is frequently exploited as a launch platform for cyberattacks and is inadequately protected by traditional security solutions. When critical DNS services are compromised, it can result in catastrophic network and system failures. Hence, DNS security is applied to protect DNS servers.
Second, DNS plays a critical role in the present-day layered security design known as "defense in depth," where no single solution addresses all exploits, which means multiple approaches to cyberdefense are needed. In today's threat environment, where organizations and individuals are being targeted, using traditional security layers in silos (cloud, network, data and endpoint protection solutions) does not provide adequate protection. Attackers are knowledgeable about how each layer works. Therefore, they know how to bypass each individual layer. Gathering independent information from multiple distinct sources and then sharing that information between the different layers is the key for blocking today's attacks.
The Security Infrastructure and Where DNS Fits
By integrating DNS information into a smart security architecture, organizations can get visibility into areas of cyberspace that have been relatively obscure until now. Correlating DNS security events with events happening elsewhere in the infrastructure (endpoint, email, network, etc.) greatly improves threat detection and prevention chances.
Click here to download and read the full paper.