Defenders Need to Gain a Clearer Picture of What’s Happening on Their DNS Infrastructures and IP Networks
In my previous column I wrote about how profit-driven attackers are hijacking legitimate online resources to launch campaigns. One way in which they do this is by using the Domain Name Service (DNS) to connect to sites that are known bad or suspicious and incorporate them into their campaigns. They use DNS in one of three ways: to gain command and control, to exfiltrate data, or to redirect traffic. Since few companies monitor DNS for security purposes, DNS has become an ideal avenue for attackers.
Enforcing security at the DNS layer is essential for identifying and containing malware infections that use DNS to execute their mission. Preventing threats before a connection ever happens is the first order of business. And this capability must travel off the network, following employees and their devices wherever they are and however they connect to the Internet. Technology that tracks malicious IP addresses and blocks connections to malicious infrastructure can thwart attackers aiming to capitalize on this common security blind spot. The more dangerous connections we block, the fewer threats we have to deal with inside the network.
But when an attack is successful, DNS monitoring can also help connect the dots, furthering investigations by determining the type and source of infrastructure supporting the attack. In the case of the Angler exploit kit, such technology helped to provide greater visibility into the IP infrastructure in use. Angler operators were essentially moving from one IP address to the next in a linear fashion to conceal the threat activity and to prevent any interruption to their moneymaking. Analysis of the domain activity associated with the threat provided a deeper understanding of the techniques incorporated and how to stop them.
As attackers continue to innovate, for example bypassing the need to resolve a domain name by incorporating direct command and control connections, defenders are responding with their own innovations to more quickly identify attacks in progress.
The emergence of predictive IP-based threat intelligence is one such innovation. This involves applying algorithms to traffic patterns to hone in on malicious activity as opposed to scanning for content. This data science-based technique is akin to that used by music services like Pandora. But instead of using patterns of sound waves in music you listen to in order to identify other music you may like, it uses network traffic patterns to identify malicious attacks.
Some domains have consistent high-volume incoming traffic. Others might have sudden spikes in traffic at regular intervals or follow some other pattern entirely. But the traffic patterns for domains that are being used in attacks are much faster and shorter since they are only used for a brief period of time as a way to remain under the radar. Being able to detect transient patterns and cross-referencing those findings with other data helps detect and take action to stop attacks that are underway.
The ability to anticipate an attack takes this data analysis to the next level. Beginning with the clues found by analyzing traffic patterns, it uses all the other steps a cybercriminal goes through to hijack infrastructure – from choosing a hosting provider to deploying server images – to determine whether an attack is going to take place. This deeper and more extensive analysis of the hosting infrastructure allows you to predict and prevent emergent threats.
As cybercriminals use the Internet to launch attacks, we need to gain a clearer picture of what’s happening on DNS infrastructures and IP networks. This starts with security teams and DNS experts working together and in alignment with the right technology. Our ability to connect more and more dots to fine tune intelligence is essential to identifying and stopping attacks faster. Not only that, continuing to advance data science as adversaries continue to evolve their methods of attack will allow us to zero-in on more Internet-based attacks before they occur.
