Decoding the DNS: A New Arena in Cyber Defence

Uploaded on 2015-09-15 in NEWS-News Analysis, GOVERNMENT-Defence, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

How_DNS_Works.jpg

How Domain Name System (DNS) Works

Any company with a large DNS Domain Name System infrastructure will find it difficult to understand what is happening in real time. This is down to the sheer volume of data involved – you could be looking for patterns in millions if not billions of requests to and around your network.However, new tools are emerging which capitalise on advanced big data techniques to analyse DNS data in depth, opening up the possibilities for using DNS data as an intelligence gathering mechanism in the war against cyber-crime.

Before now, the insights that can be found amongst the four billion DNS queries that the UK zone receives on a daily basis have largely been hidden because tools capable of analysing traffic across periods of more than a few minutes didn't exist. But with new DNS analytics and visualisation tools that have the capacity to store and analyse DNS queries data in-depth, we've begun to uncover techniques for identifying patterns of use that indicate malicious activity or cyber security vulnerabilities. Here are two:

Identifying botnets and spam

One example of cyber intelligence that can be gained from DNS analysis relates to botnets. Botnets continue to contribute to DDoS attacks and spam runs. Recent research from Kaspersky found that over 23,000 botnet-assisted DDoS attacks were reported in Q1 of this year alone. Spam email also continues to cause problems – despite recently dropping to a 12 year low spam still represents almost half of all emails sent.
DNS data can reveal previously hidden tell tale signs that computers on your network have become part of a botnet. A typical spam run centres on mass mailing to a list which almost inevitably will contain many invalid or expired domains. DNS analysis can reveal abnormally large numbers of requests for domains that do not exist, suggesting that machines on the network have been compromised.
By recognising specific infections early, it's possible to quickly clean up or at least isolate the infected machines and reduce the amount of spam crossing your network. The bigger your infrastructure, the more helpful such techniques are.

Limiting the spread of malware

The fight against malware is another area which can be assisted by DNS analysis. When it comes to Malware Index Case detection, DNS analysis has enabled the identification of a particularly aggressive piece of malware by tracking infected machines which were using something called a Domain Generation Algorithm (DGA), an algorithm that generates a number of random domains for botnets to communicate with.
DGA works by using an algorithm that generates a number of domains that changes periodically, and is often spread over many jurisdictions which means it is hard to predict. This allows the cyber-criminal to communicate with a large army of machines but reduces the risk of a white-hat adversary taking back control, as instead of having a single point of vulnerability, the cyber-criminal has many domains to hide behind.
DGAs are used by many pieces of malware, and tend to have two characteristics: They look like random strings and are in use for only a fixed period of time, commonly 24 hours. This means that a machine on your network that's trying to resolve a set of domains which don't look like humanly readable words i.e. iaurghriugharui.co.uk, may well be an infected machine.
If the set of domains changes on a daily basis, then this is even stronger evidence. By analysing DNS data, security professionals can find, predict and sinkhole the traffic of most DGAs by looking into a company's recursive DNS traffic.
 With cyber-criminals constantly finding new and intelligent ways in which to infiltrate a company's network, the ability to analyse DNS data opens up a whole new avenue of protection for organisations.
Decoding the DNS gives businesses another tool in their arsenal, one which was previously significantly more limited than it is now. If your organisation has a large DNS infrastructure but you haven't previously been able to extract meaningful intelligence from DNS data, now may be the time to consider reassessing your options.
SC Magazine: http://bit.ly/1ia9wO6

 

 

 

« A New Design for Cryptography’s Black Box
DEMOS: The Road to Representivity »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Blue Solutions

Blue Solutions

Blue Solutions is a consultancy-led, accredited software distributor who provides IT solutions and support to small and medium enterprises.

Hack in the Box Security Conference (HitBSecConf)

Hack in the Box Security Conference (HitBSecConf)

HITBSecConf is a platform for the discussion and dissemination of next generation computer security issues. Our events feature two days of training and a two-day multi-track conference

AllClear ID

AllClear ID

AllClear ID provides products and services that help protect people and their personal information from threats related to identity theft.

ITRecycla

ITRecycla

ITRecycla are specialists in the protection of sensitive computer data by data destruction, re-marketing of reusable computer equipment, computer recycling and disposing of electronic e-waste.

European Healthcare Fraud & Corruption Network (EHFCN)

European Healthcare Fraud & Corruption Network (EHFCN)

EHFCN is the only organisation dedicated to combating fraud, corruption and waste in the healthcare sector across Europe.

MISP Project

MISP Project

The MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators.

Cyturus Technologies

Cyturus Technologies

Cyturus Technologies delivers cybersecurity business risk quantification services using our proprietary Adaptive Risk Model (ARM).

Fusion Risk Management

Fusion Risk Management

Fusion Risk Management focuses on operational resilience encompassing business continuity, risk management, IT risk, and crisis and incident management.

PT Sydeco

PT Sydeco

At PT SYDECO we create a complete range of products that secure computer and industrial networks, servers, programs and data against any type of computer attack.

Nigerian Communications Commission (NCC)

Nigerian Communications Commission (NCC)

NCC has established a CSIRT for the telecommunication industry to provide services and support for the prevention and management of potential cyber security related emergencies.

Symptai Consulting

Symptai Consulting

Symptai Consulting is a leading Cyber Security, Digital Transformation and Anti-Money Laundering firm serving the Caribbean and the wider world.

Cybergroot

Cybergroot

Cybergroot provides Cybersecurity Assessment services and professional Information Security trainings.

Open Source Security Foundation (OpenSSF)

Open Source Security Foundation (OpenSSF)

OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.

Fusion Cyber

Fusion Cyber

Fusion Cyber educates students in Zero Trust Risk Management, Defense, and Cyber Offense that lead to taking industry-accepted cybersecurity certifications.

BluSapphire

BluSapphire

BluSapphire is an industry-first, purpose-built, cloud-native, Hybrid XDR platform powered by AI and big data analytics.

Astute Technology Management

Astute Technology Management

Astute Technology Management helps businesses take control of their technology and work with greater confidence.

Radiant Security

Radiant Security

Radiant Security offers an AI-powered security co-pilot for Security Operations Centers (SOCs). Reinforce your SOC with an AI assistant.