My colleague in Spain recently wrote an informative article about DNS Protection and why it's a must-have security solution for any company. Building out on this topic, I would like to look specifically at the Education market and what the consequences can be if DNS Visibility is not taken seriously. I will also share some insight in the results that we typically see when we run proof of concepts with customers. Wrapping up this blog I would like to share some information from one customer and their production results.
So how severe is the educational espionage problem? It's never good to end up in the news for the wrong reasons and unfortunately two universities have been targeted recently. Of course the targets are not only in Australia and other universities have had their fair share of problems too.
Here in Australia the federal government has announced the creation of the University Foreign Interference Taskforce with the objective of accessing to which level there is foreign interference at the national universities.
But I want to focus on DNS specifically, and you may wonder, isn't every organisation already monitoring DNS in any case? If I had to put a number on this I would say probably 99% of organisations that I talk to don't actively monitor DNS. As almost all legitimate communication and malicious activity, including malware and phishing, start with a DNS lookup it does make a lot of sense to deploy a thin security layer specific to DNS. This DNS security layer should stretch across all users and their innumerable devices, and the data center.
Let's start to look at some of the results...
If you've never heard of Domain Generated Algorithms (DGA) the way that I explain this to my customers is to imagine a cat that walks over your keyboard to generate a domain name. The outcome of the cat's effort may look something like this:
Figure 1. A domain generated by a DGA
I promise you malware writers don't use cats to write their code but they will use DGA as a way to circumvent your security. What's interesting, based on the results that we see, is that DGA detection events are not a once in awhile occurrence but every single day there are calls made to these DGA domains as you can see in Figure 2 below. What is hidden behind these DGA domains may be Command and Control servers or the DGA domains can be used to exfiltrate sensitive information over DNS requests.
Figure 2. Daily DGA activity
So I mentioned that we shouldn't forget about the data center. Besides the fact that sensitive information can be exfiltrated over DNS - yes, I've seen this at a university - compute resources can be misused for nefarious reasons for example to mine cryptocurrency. It certainly doesn't take a quantum computer to calculate that there is a serious problem on this network as this Figure 3 indicates below. Of course malicious software is at work here to do the mining and the real risk is that other systems can be compromised with this type of malware being active on the network.
Figure 3. Crypto mining domain activity
I only skimmed the surface here with the results and some other malicious domain activity that can be expected include:
- Browser hijacking
- Typosquatting domains
- Targeted Phishing domains
- Trojan activity such as Zeus/Zbot
- Worm activity such as Palevo
Needless to say it takes some very smart algorithms to be able to accurately detect these malicious domains. In the same breath I can say that we all know there is no such thing as perfect security, besides unplugging the cable. Fortunately, the accuracy of the DNS security delivered by Akamai's Enterprise Threat Protector is top notch. Customers are extremely cautious when they run proof of concepts with new security products as they want to minimise the off chance that the helpdesk telephones start ringing red hot with user complaints. To quantify this a bit more, let me share a customer story. With some recent customer testing the ETP service detected close to 100,000 malicious DNS related events over a 30 day period. I went to review the results with the customer and I almost fell off the chair as I was told that they moved the policy from monitoring to blocking mode, with a user base of a few thousand end-points, with no user complaints, which proves the point that ETP delivers a very low false positive result.
Another customer who's currently running ETP in production managed to block in the first 24 hours:
- over 800,000 attempted connections to malicious domains and phishing sites
- and over 300,000 attempted connections to bypass filtering
If you're not convinced yet that you need a DNS Visibility solution maybe some DGA art will change your mind.