Last time I talked about how a proactive approach to defending against targeted threats using cloud-based recursive DNS and threat intelligence just makes sense. Taking this proactive approach early in the killchain can help mitigate known and unknown threats before any IP connection, file download or execution even happens.
So, what are some of the common targeted threats and/or DNS-based techniques that we run across? We generally see malware, ransomware, and phishing. Most of which leverage some form of command and control (C2) callbacks. We also observe plenty of blacklist evasion and some cases of DNS based data exfiltration - all helped along by a general lack of visibility into enterprise DNS traffic.
Often, an enterprise's recursive DNS infrastructure makes it difficult to understand enterprise DNS traffic patterns. Talking about a needle in the haystack is almost an understatement. Trying to export logs from multiple sources is a headache, and the sheer volume of DNS traffic often prohibits entry into security information and event management (SIEM) systems. There is simply too much good and too little bad traffic to warrant adding DNS logs into a SIEM that potentially charges per byte of data.
Even if you overcome these aggregation problems, all you're left with are thousands (or millions) of hostnames, viewed and interpreted in a vacuum. This is a problem, and why using a cloud service becomes imperative for most companies. The more traffic and intelligence you view in aggregate, the easier it becomes to identify patterns.
But visibility into as much data as possible is only a part of the story. As with all data analysis, it will only ever be as good as the algorithms you are using for pattern matching. Simple pattern matching is expected by everyone. That's where blacklist evasion comes in. The vast majority of malware depends on some form of C2 communication and infrastructure to function. Now if I know what you (or more importantly your security solution) are looking for, it becomes pretty simple to come up with a way to remain undetected. For domains used for targeted threats' C2 communication this is also the case. And that's where domain generation algorithms (DGAs) come in.
DGAs are a DNS technique used by malicious actors to hide C2 servers behind newly generated, short lived domains. They are generally used by malware to evade domain based firewall controls. Malware that uses DGAs will constantly probe for short lived registered domains that match the domain generated by the DGA to complete the C2 communication. The interesting thing is they are generally easy-ish for humans to spot but harder for machines.
If we look at a concrete example we can see below that this particular company saw quite a few C2, malware, and phishing domains in its DNS traffic in a short period of time.
If we go a little deeper, we can see that these requests seem to happen at around the same time every day.
What's even more interesting is that countless, generated domains resolve to only a handful of IPs. For the most part, the domains are only used once.
So, what can minimize DGA effectiveness? For starters, visibility into DNS traffic is a requirement. Second, a solid set of algorithms based on everything from lexical to behavioral analysis to actually process the DNS traffic. Lastly, as I mention above, the more data the better. The forest through the trees and all that.
Now what makes this example even more interesting isn't the DGA, but the nature of the threat. By most accounts, it was first discovered in early 2009. In other words, it is definitely a known threat. Yet it is a known threat that remained undiscovered by a slew of other security tools in place. Only by looking at recursive DNS was it detected and mitigated.
DGAs are just one example of a multitude of techniques ranging from fast flux to DNS-based data exfiltration. We will go into more examples in subsequent posts.
In the meantime, if you want to find out more, reach out to your account team or visit https://www.akamai.com/dns.