Ashraf Sheet, Infoblox: Securing DNS Infrastructure against Malicious Domains
March 2017 by Ashraf Sheet, Regional Director MEA at Infoblox
The constant creation of malicious domains has proved a cat and mouse game for threat researchers and cybercriminals. Across the world, new malicious domains are constantly being created from which cybercriminals can launch attacks against businesses’ Domain Name System (DNS) infrastructure.
During what is known as the ‘planting’ phase, the Infoblox DNS Threat Index, which monitors the creation of such domains, shows a significant increase in the number of malicious domains associated with malware and exploit kits. In the second ‘harvesting’ phase, the attackers begin to reap the bounty from these newly created malicious domains, launching attacks on organisations’ DNS to exfiltrate data or just to wreak havoc on their victims.
Exploit kit popularity persists
A great amount of this malicious infrastructure is being used in the creation of exploit kits. This particularly disturbing category of malware is part of a growing trend of off-the-shelf, user-friendly cybercrime tools.
These tool-kits-for-hire deliver malware via drive-by download, ultimately providing cybercriminals with an opportunity to wreak great havoc on an organisation with little or no technical knowledge. Indeed, attackers using exploit kits don’t need to understand how they create or deliver the exploit needed to infect a server, and the attack itself is often facilitated by a user-friendly interface featured in the kits itself to help hackers manage and monitor their malware campaign. All of this ultimately serves to lower the technical bar for sowing malware.
It is therefore unsurprising that exploit kits have cemented their place as a popular motive for malicious domain creation.
Angler continues to reign as the most popular exploit kit. Indeed, just recently Perez Hilton, the celebrity gossip website, was hacked, redirecting its visitors to the Angler landing page which in turn exposed users to CryptXXX ransomware.
Achieving its malicious goals
These tool kits generally exploit vulnerabilities or security flaws in operating systems, browsers, and popular software such as Adobe Flash and Java. Then, just as in the Perez Hilton case, users are exposed to the kits (and their payloads) via malvertising and spam on the compromised websites. When an exploit is successful in delivering its payload onto a victim’s device, it is then able to operate behind the service provider’s or company’s firewall. This malware can then spread across the internal network to other devices, as well as communicating back to its command-and-control (C&C) server, which enables it to download more malicious software or exfiltrate data. Often the organisation’s own DNS is used to facilitate communication between the infected device and its C&C server.
Like all command and control malware, phishing and many other threats, exploit kits use DNS to achieve their ultimate aim, whether that is data exfiltration or mass malware infection. For that reason, it has never been more important for organisations to protect their DNS infrastructure.
Securing DNS infrastructure
While DNS infrastructure is inherently a vulnerable component for organisations, effective internal DNS security solutions can turn it into a great asset for securing an organisation’s networks and data. And this is possible without having to change the existing network architecture.
Using DNS response policy zones (RPZs) on internal DNS, combined with an up-to-date threat intelligence feed of malicious destinations, enables DNS appliance to intercept those DNS queries which are associated with known malware. This effectively prevents the threat from communicating with its external C&C servers to wreak further havoc: preventing both data exfiltration using standard network protocols and malware from breeding in the network. Furthermore, internal DNS security can identify and prevent data exfiltration using DNS tunnelling techniques by establishing query thresholds. This benchmark then enables the DNS to detect and flag any unusually large queries or responses which may contain packets of data.
With the wealth of intelligence that can be garnered both on the types of threats facing DNS infrastructure and on the malicious domains being created to exploit it, organisations can take effective steps to prevent attack vectors from exploiting this infrastructure. And as the technical bar is lowered for attacks, as with exploit kits, whose popularity will only rise, DNS security will only become ever-more crucial. Inherently vulnerable, yet with great potential: no organisation should overlook this vital component of network architecture and leave it unprotected. DNS is capable of being an important defence against exploit kits and other attack vectors which rely on it to achieve their criminal aims.