Defend your network from APTs that exploit DNS

Advanced Persistent Threats (APTs) are designed to spread, morph and hide within IT infrastructure to perpetrate a long term attack, posing a significant threat to the security of corporate data. From the world’s largest banks, to a healthcare provider, to a German iron plant, no sector escaped a malware and APT breaches in 2014.

Malware and APTs commonly use the Domain Name System (DNS) as a communication mechanism for these breaches. And yet many companies are not taking the necessary precautions to detect and mitigate against these types of attacks. Nor are they using the best tool at their disposal to combat these threats – DNS itself.

DNS: The perfect target
As the cornerstone of the Internet, DNS is an ideal target for cyber criminals. All businesses need DNS to function, whether it’s to keep a website online, for email communication, or for VoIP. As a pivotal piece of network architecture, if the DNS is down it not only puts the whole business at risk of a data breach and leakage, but also can significantly affect its bottom line.

What’s more, DNS is especially attractive to hackers because the protocol is very trusting, making it easy to exploit. DNS is a high performance data transfer protocol, and those who developed it 30-plus years ago would never have thought that DNS would now be used as an attack vector. This is why securing DNS is so crucial to network security.

Finally, as traditional protection is typically not effective against DNS based attack vectors, many companies are completely unprepared to detect and mitigate against DNS-based threats. Traditional protection such as firewalls and IPS devices typically leave port 53 open for DNS traffic to come in. This means very few of the incoming queries are inspected, leaving an unobstructed path for APTs and malware to enter the network.

The four steps of an APT attack
DNS is not only an attractive target to hackers for the reasons stated above, but can also be a key component in an APT attack. There are four stages of APT attacks, and DNS plays a role in the hackers’ success at every step.

Attackers generally use one of the three methods for the initial infection: phishing attacks, where malware is sent in emails to people in the organisation; watering hole attacks, where a website known to be frequented by people from the organisation is infected; or by direct physical connection, such as an infected USB stick or other method. The first two of these methods use DNS, demonstrating the importance of ensuring its security for rejecting suspicious and malicious content.

In almost all cases, the first action the initial malware performs is to download the real APT from a remote server, a Command & Control (C&C) /botnet location, by using DNS. This real APT will be far more capable of carrying the malicious intent to fruition than the initial infection, whose primary function is expressly to exploit known zero-day vulnerabilities.

Once downloaded and installed, the real APT will disable any antivirus or similar software running on the now infected computer. Unfortunately, this minor but significant task is usually not at all difficult. This then allows the APT to gather preliminary data from its computer victim and any connected LAN. It will then contact a C&C server using DNS, to discover what to do next.

A successful APT may identify terabytes of data that the attackers will want to see. In some cases, the APT will simply export this data via the same C&C servers from which it received instructions, but in many cases the bandwidth and storage capacities of the intermediate servers may be insufficient to transmit the data in a timely fashion. This also creates greater risk of being intercepted, as the more steps involved in transferring the data, the more likely that someone will notice. Consequently, the APT is far more apt to contact a different server directly, essentially a “dropbox,” for the purpose of uploading all the data. DNS is again crucial component in this final stage.

Protecting your DNS
As we’ve seen, DNS cannot only be easily exploited, but is frequently used to enable APT attacks. Protecting your DNS is crucial to securing your corporate data, and yet is often overlooked in traditional security policies.

By investing in a DNS firewall, for example, organizations can utilize their DNS to block any of the stages noted in the description of the APT attack above, either temporarily or permanently. A key weapon in the defence arsenal is the fact that the cyber criminals trust relatively few intermediate servers and networks. Consequently, these collusive servers and networks tend to get reused over and over again.

Going back to the same well time and again will heighten the chances that some, or all, of the server infrastructure used by the attackers can be discovered and therefore, blocked. This infrastructure-specific insight gives a DNS firewall its strength and the ability to thwart APTs and similar malware in a way that traditional firewalls can’t match.

Security companies have long lamented the fact that understanding a threat is half the job in securing organizations against cyber attacks. However, understanding the threat against DNS seems to have largely escaped many organizations. As a result, we will only see an increase in the number of APTs using DNS for their own malicious aims. Securing DNS is crucial to reducing the risk of data loss or other damage due to APTs, and those who don’t do so are denying themselves the best available defence against this new and highly worrisome cyber danger.