Decoding the DNS: A New Arena in Cyber Defence

How_DNS_Works.jpg

How Domain Name System (DNS) Works

Any company with a large DNS Domain Name System infrastructure will find it difficult to understand what is happening in real time. This is down to the sheer volume of data involved – you could be looking for patterns in millions if not billions of requests to and around your network.However, new tools are emerging which capitalise on advanced big data techniques to analyse DNS data in depth, opening up the possibilities for using DNS data as an intelligence gathering mechanism in the war against cyber-crime.

Before now, the insights that can be found amongst the four billion DNS queries that the UK zone receives on a daily basis have largely been hidden because tools capable of analysing traffic across periods of more than a few minutes didn't exist. But with new DNS analytics and visualisation tools that have the capacity to store and analyse DNS queries data in-depth, we've begun to uncover techniques for identifying patterns of use that indicate malicious activity or cyber security vulnerabilities. Here are two:

Identifying botnets and spam

One example of cyber intelligence that can be gained from DNS analysis relates to botnets. Botnets continue to contribute to DDoS attacks and spam runs. Recent research from Kaspersky found that over 23,000 botnet-assisted DDoS attacks were reported in Q1 of this year alone. Spam email also continues to cause problems – despite recently dropping to a 12 year low spam still represents almost half of all emails sent.
DNS data can reveal previously hidden tell tale signs that computers on your network have become part of a botnet. A typical spam run centres on mass mailing to a list which almost inevitably will contain many invalid or expired domains. DNS analysis can reveal abnormally large numbers of requests for domains that do not exist, suggesting that machines on the network have been compromised.
By recognising specific infections early, it's possible to quickly clean up or at least isolate the infected machines and reduce the amount of spam crossing your network. The bigger your infrastructure, the more helpful such techniques are.

Limiting the spread of malware

The fight against malware is another area which can be assisted by DNS analysis. When it comes to Malware Index Case detection, DNS analysis has enabled the identification of a particularly aggressive piece of malware by tracking infected machines which were using something called a Domain Generation Algorithm (DGA), an algorithm that generates a number of random domains for botnets to communicate with.
DGA works by using an algorithm that generates a number of domains that changes periodically, and is often spread over many jurisdictions which means it is hard to predict. This allows the cyber-criminal to communicate with a large army of machines but reduces the risk of a white-hat adversary taking back control, as instead of having a single point of vulnerability, the cyber-criminal has many domains to hide behind.
DGAs are used by many pieces of malware, and tend to have two characteristics: They look like random strings and are in use for only a fixed period of time, commonly 24 hours. This means that a machine on your network that's trying to resolve a set of domains which don't look like humanly readable words i.e. iaurghriugharui.co.uk, may well be an infected machine.
If the set of domains changes on a daily basis, then this is even stronger evidence. By analysing DNS data, security professionals can find, predict and sinkhole the traffic of most DGAs by looking into a company's recursive DNS traffic.
 With cyber-criminals constantly finding new and intelligent ways in which to infiltrate a company's network, the ability to analyse DNS data opens up a whole new avenue of protection for organisations.
Decoding the DNS gives businesses another tool in their arsenal, one which was previously significantly more limited than it is now. If your organisation has a large DNS infrastructure but you haven't previously been able to extract meaningful intelligence from DNS data, now may be the time to consider reassessing your options.
SC Magazine: http://bit.ly/1ia9wO6

 

 

 

« A New Design for Cryptography’s Black Box
DEMOS: The Road to Representivity »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Centripetal Networks

Centripetal Networks

Centripetal Networks was founded with one vision - to protect networks from advanced threats by simplifying intelligence-driven security.

National Information Technology Development Agency (NITDA) - Nigeria

National Information Technology Development Agency (NITDA) - Nigeria

The National Information Technology Development Agency (NITDA) is committed to implementing the Nigerian National Information Technology Policy.

Cybraics

Cybraics

Cybraics nLighten platform implements a unique and sophisticated artificial intelligence engine that rapidly learns your environment and alerts security teams to threats and vulnerabilities.

Cryptosense

Cryptosense

Cryptosense provides the first application security software dedicated to the detection and remediation of crypto vulnerabilities.

Vesta

Vesta

Vesta Corporation is a global provider of a scalable suite of fraud and payment solutions for online commerce.

RangeForce

RangeForce

RangeForce delivers the only integrated cybersecurity simulation and skills analysis platform that combines a virtual cyber range with hand-on training.

Northcross Group (NCG)

Northcross Group (NCG)

NCG provides services to help organizations meet the challenges of regulatory compliance. Our services include support, consultation, tools and accelerators for all parts of an organization.

Quantum Security Solutions (QSec)

Quantum Security Solutions (QSec)

QSec is an innovative information security consultancy based in Ghana. We can provide your organisation with information security products and services that assure against information risk.

Talion

Talion

Talion aim to reduce the complexity involved in securing your organisation and to give security teams unrivalled visibility into their security operations, so they can make optimal decisions, fast.

Computer Services Inc (CSI)

Computer Services Inc (CSI)

CSI is a leading fintech, regtech and cybersecurity solutions partner operating at the intersection of innovation and service.

Certo Software

Certo Software

Certo are trusted experts in mobile security. At Certo, mobile security is not an afterthought, it’s what we do.

Digital Silence

Digital Silence

Digital Silence is a world-class provider of information security research and consulting services.

Jot Digital

Jot Digital

Jot Digital is a full-service technology company specializing in digital engineering, application modernization and business transformation.

CESAR

CESAR

CESAR is one of the premier R+D and innovation centers in Brazil and a designated Cybersecurity Competence Center.

Operational Systems (OpSys)

Operational Systems (OpSys)

OpSys is a leading Managed IT and Cyber Security provider protecting the critical elements of businesses across the globe.

Element

Element

Element is a new type of communications platform. It combines consumer messaging apps, collaboration tools and video conferencing to replace email, address shadow IT and improve security.