In the last few posts, I talked about why recursive DNS (rDNS) combined with threat intelligence makes for such a simple-to-deploy security solution that effectively mitigates and prevents advanced, targeted threats. Not to belabor the point, but the recent punycode phishing news makes the effectiveness of rDNS plus threat intel even more evident. Identifying punycode domains lexically through a combination of rDNS and threat intel is quite straightforward, either by detecting phishing attempts to popular domains or by just identifying abnormal usage of different language variants.
Either way, we already looked at domain generation algorithms and how they are used by modern malware and ransomware. In this post we will cover, at a very high level, another technique used by targeted threats: DNS-based data exfiltration.
According to the threat intel brigade at Akamai, this data exfiltration and communication vector has been around for ~20 years at this point, but as expected, it has evolved significantly over that period of time.
Why Do Targeted Threats Use DNS-based Data Exfiltration?
As we all know, enterprises are generally loaded with firewalls, intrusion detection systems, antivirus software, data loss prevention programs, etc. that inspect TCP (Transmission Control Protocol) and other network protocol traffic. DNS is often overlooked since it isn't generally associated with data delivery.
Unfortunately that is far from the truth. Threat actors use this assumption, and the resulting complacency, to bypass security mechanisms by transporting sensitive data from inside to outside the enterprise - all over DNS. At times, even enterprise systems that are supposed to be insulated from the outside (using DMZs/perimeters) are still able to issue DNS requests. In such cases, information can be exfiltrated using DNS, often without inspection or detection.
How Does DNS-based Data Exfiltration Work?
For the simple version, all an attacker needs is a working authoritative name server (NS), serving a primary domain held by the attacker. The payload is encoded and/or encrypted in the subdomain level(s) of the domain name.
For example, a malicious actor can register the domain malware.us and the data can be delivered as a DNS request to <base64_encoded_information>.malware.us. The request will propagate across the DNS network until it safely reaches its destination (the malicious actor's NS), where it can be safely logged and decrypted. This makes it easy to provide malware status updates to command and control (CnC) infrastructure and/or exfiltrate toxic data.
DNS-based data exfiltration explicitly targets customers' reliance on negative security models and their trust in and dependence on DNS. This is ultimately one of the primary drivers for malware authors to use this "trusted" protocol for malicious activities.
The more complex version of DNS-based data exfiltration includes the capability to tunnel other protocols over DNS. In other words, DNS exfiltration can also be used to bypass existing security controls by tunneling filtered protocols over DNS. A good example of this are the off-the-shelf DNS tunneling tools that encapsulate HTTP traffic, send it over DNS port 53, and promise "free Wi-Fi" in airports.
So, Now What?
Well, the good news is that, as an industry, we are starting to wake up to the potential of the DNS-based data exfiltration threat vector. Various high-profile point of sale (POS) malware saw to that, catalyzing research and widespread discussion. It also means that we are building ways to protect against DNS-based data exfiltration. At the highest level, this is generally done through algorithms that combine DNS payload and traffic analysis to identify exfiltration attempts. More about mitigation details on another day. Either way, this type of protection does assume that you have visibility into your DNS traffic, control your recursive DNS infrastructure, and are able to apply policy and algorithms to all DNS requests originating from enterprise endpoints.
The bottom line is that enterprises need to wake up and mitigate this advanced, targeted threat. To find out more, reach out to your Akamai account team or visit https://www.akamai.com/dns.