Palo Alto Networks names six practical approaches
The Domain Name System, or DNS for short, is the protocol that translates human-friendly URLs into machine-friendly IP addresses. Basically, it’s the phone book of the Internet. This makes DNS a critical component of business operations that firewalls must pass and prevents network operators from blocking DNS traffic. As a result, it has become a prime target for threat actors who have successfully conducted various DNS-based attacks against corporate networks over the years.
Attackers often use DNS to build Command and Control (C2). This can cause you to gain unauthorized access to the network, move sideways, or exfiltrate data. As security has evolved to prevent misuse of DNS traffic and C2, attackers ‘ tactics and techniques have evolved as well, according to Palo Alto Networks.
DNS-based attacks continue to evolve
These are just some of the sophisticated attacks used by threat actors to exploit DNS:
- DNS Tunneling: Attackers use the DNS resolver to route requests to the attacker’s C2 server where a tunneling program is installed. Once the connection between the victim and the attacker is established via the DNS resolver, the tunnel can be used to exfiltrate data or perform other malicious purposes.
- Domain Generation Algorithm (DGA): Attackers develop DGAs so that malware can quickly generate a list of domains through which the malware can give instructions and receive information. Attackers often use DGAs so they can quickly switch domains they use for malware attacks, as security software and vendors try to block and remove malicious domains as quickly as possible.
- Fast Flux: Attackers set up multiple IP addresses per malicious domain name and change them in quick succession to circumvent IP controls, making it difficult for threat hunters to find their locations.
- Malicious Newly Registered Domains (NRDs): A newly registered domain is any domain registered within the last month (33 days to be precise). Attackers often create slight variations of legitimate domains to trick users into clicking on them. The malignant NRDs are usually only active for a short period of time, making them difficult to detect.
DNS attacks in the real world
DNS-based attacks are not new, but they are widespread. Unit 42 has recently seen several instances where malware and the threat actors behind it have misused DNS to target malicious targets.
DNS Tunneling attacks in the Real World
OilRig, a threat actor operating in the Middle East, created tools with its own DNS tunneling protocols for C2. The threat actor was able to use this not only as of the main communication channel but also as a fallback channel if the originally placed communication did not work correctly.
Unit 42 also observed xHunt, a threat actor who targeted government organizations in the Middle East with a backdoor called Snugy. This backdoor used DNS tunneling to communicate with your C2 server, specifically through DNS-A record lookups, to resolve custom subdomains of the actor-controlled C2 domains.
Use of DGAs in the real world
A well-known recent example of attackers using DGAs is the SUNBURST backdoor, which compromised SolarWinds’ supply chain. SUNBURST used DGAs to evade detection and encrypt basic system information such as the computer’s domain name, server name, and other identifiers. SUNBURST sent requests to log in to the attacker. These contained identifying information to help the attacker decide whether to launch a second-stage attack.
Fast Flux in the real world
Unit 42 has found several C2 domains associated with the Smoke Loader malware family. When installed, this malware acts as a backdoor and allows attackers to download malicious payload from C2 servers, ranging from ransomware to information theft and many other things. The researchers observed domains resolved to nearly 100 IP addresses in less than two weeks.
Real-world examples of malicious NRDs
Attackers took advantage of the pandemic by creating a series of malicious NRDs posing as official COVID-19-related resources. The focus of the attackers shifted depending on the current events related to the pandemic. In the initial phase of the pandemic, the attackers targeted people looking for news and test kits on COVID-19. Then Unit 42 observed a shift towards supposedly government-related NRDs posing as applications for utility programs to entice users to provide private information. Now the focus is changing again, with threat actors seemingly registering vaccine-related domains.
DNS Attacks made easy
DNS is a perfect choice for attackers looking for an always open, often overlooked protocol that they can use for C2 communication and host compromise. It should be noted that DNS-related techniques are not only observed in these sophisticated attacks. There are a number of free, easy-to-use tools that can help even an inexperienced attacker perform a malicious operation taking advantage of DNS. In this way, even untrained attackers can use DNS to disguise their C2 communication, for example. Commodity tools like these increase the sheer volume of attacks that take place in the wild.
What DNS Security Needs Now
Today’s security teams often focus on web protocols rather than the security of the DNS layer. Since 80 percent of malware uses DNS to establish C2, it is imperative that companies monitor and analyze their DNS traffic. To achieve this, security solutions should be able to
- Inspect DNS traffic inline: Not only DNS traffic packets have to be analyzed, this must of course be done at line speed.
- Using Machine Learning: Automation is needed to beat automated attacks. The use of algorithms is required to analyze, detect, and even predict DNS-based threats before they occur.
- Scale: Simple static signatures stop known malicious domains, but do not protect against advanced DNS threats. What’s needed is a cloud-based solution that keeps coverage up to date.
- High-quality data: Machine learning is only as good as the data it trains. Using large amounts of real threat data is key to detecting attacks and achieving a low false-positive rate.
- Protection against specific attack techniques: Advanced, persistent threat actors use techniques such as DGA, DNS tunneling, and fast-flux to bypass their security controls. These techniques are constantly evolving and your security solution must keep up with them.
- Access to extensive context: To quickly resolve DNS security events and proactively optimize the security posture, organizations need to have full visibility into their DNS traffic and context.