Akamai Diversity

The Akamai Blog

How's that Security Back Door Doing? (Part 2)

In the first part of this blog post I wrote about how recursive DNS (rDNS) is an attack surface that many enterprises don't currently protect. Bad actors are exploiting that fact and developing advanced targeted threats that use DNS to bypass conventional security tools such as firewalls, secure web gateways and endpoint antivirus.

In this post, I'm going to talk about the free 30-day security check that Akamai offers through activating and deploying Enterprise Threat Protector for your enterprise. I will also discuss what we typically uncover on an enterprise network when we activate the service.

As I mentioned in the previous post, configuring and deploying Enterprise Threat Protector for your enterprise is simple, straightforward and should typically take you less than 30 minutes from start to finish.

Given that, the Akamai Threat Check is an effective way to check out the success of your current security controls. In addition, it lets you determine if a solution that proactively controls your rDNS traffic improves your overall security posture and what value the solution might deliver for your company.

Throughout the 30-day security check, we will provide you with regular reports on what Enterprise Threat Protector has detected in your traffic. This allows you to quickly compare the results against your existing security controls. 

Screen Shot 2018-08-22 at 1.12.10 PM.pngNow, based on what I hear from many enterprises I speak to, I suspect at this point, you're thinking "I've already invested a lot of money in x, y and z, so we have everything covered".  Replace x,y and z with the most recent security products purchase order you had your finance team sign off on.

However, what is really quite astonishing, is many times an organization activates Enterprise Threat Protector on its network, ETP uncovers malicious DNS traffic that the security team was previously unaware of - despite having multiple security solutions in already deployed. So, what exactly do we uncover?

Coin Mining Malware is on the rise

In the last few months, endpoints infected with Coin Mining malware have been uncovered in the vast majority of organizations that have activated Enterprise Threat Protector. What's quite interesting is that pretty much every sector has been impacted - from education to manufacturing and from business services to state and local government.

Coin Mining malware works by infecting computers and using their processing power to mine cryptocurrency tokens. This means that the infected device/computer slows down to the point where it is unusable. There are numerous coin mining malware variants being used, but what they all have in common thread here is that most, if not all, use DNS as a means to communicate back to a Command & Control infrastructure outside of your network.

But Malware Delivery Domains Predominate

While coin mining malware is prevalent, it constitutes a small percentage of the largest threat type by volume ETP sees in a typical month, which is malware delivery domains. In a typical month, the volume of malware delivery security alerts will be in the range of 60 to 70% of all the domains being blocked by Enterprise Threat Protector. Some of these blocks will be from phishing emails that contain links to malware delivery domains, but many will be from users who are simply browsing the web and either land on a domain that's been compromised or end up on a domain that links to another malicious domain.

That linking of a malicious domain is something that a DNS security layer is very effective at identifying and blocking, given that any objects on a web page that are requested from other domains, still need to make a DNS request. 

As an example, here's a YouTube page that has a link to a domain that has been identified in ETP's threat intelligence as being malicious.  As you can see, the DNS request to the malicious domain has been blocked and the content has been replaced with a block page.

Screen Shot 2018-08-22 at 1.18.46 PM.pngIn terms of the malware being delivered by these domains, it runs the full spectrum of threat types - from innocuous Adware to really nasty dangerous ransomware.

Click, click, click the phishing links

Here's a surprise. Despite most organizations proactively educating their users about the dangers of falling for a well-crafted phishing email, and deploying secure email gateway protection to block the emails, based on what we observe, users are still being duped. Each month, the volume of phishing domains being blocked by Enterprise Threat Protector will typically be in the 10 to 20% range of all the malicious domains being blocked.

Given that the pretty much every phishing page relies on DNS when the user clicks on the phishing link, then using a DNS security tool that looks at that request when it's made, is a really good way to augment your existing phishing defenses.

Horse, stable, bolted - have you already been compromised?

Perhaps the most surprising fact, is that nearly every time a company activates Enterprise Threat Protector, it identifies and blocks command and control traffic from devices that have already been compromised by malware. This often comes as a surprise to the security team, who despite having multiple security tools and layers in place, have been blind to this malicious traffic. In a typical month, 10 to 20% of all the alerts generated by Enterprise Threat Protector are related to command and control traffic.

Interested in trying this out for yourself? Sign up for your free network threat check today.