On January 10, the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) released an alert about a DNS-related attack on telecoms, internet infrastructure providers, in order to access data held by government and sensitive commercial entities occurring across Europe, North America, Middle East and North Africa. The attack involved a sophisticated knowledge of the target’s networks, and early reports speculate that state-level actors may be involved.
DNS used as an attack vector
While the attackers used different methods to compromise each network, the common thread was DNS. The attackers used “man in the middle” techniques to insert themselves into various parts of the DNS resolution chain.
In some instances, the attackers hijacked the corporate accounts of victims in commonly used DNS proxy services. Using freely available tools, they then changed the certificates to redirect traffic to a domain controlled by the attacker. Since the certificates were legitimately created and associated with a known proxy service, the DNS query appeared legitimate.
What is to be done?
Monitor your DNS traffic. Detecting sophisticated attacks like these requires an equally sophisticated level of visibility into DNS traffic. Research shows that 60% of organizations don’t look into their DNS data at all.
Check DNS response data. Logging outbound queries is the first step, but ideally you’re going to want response data as well. In the case of this particular attack, the response data was returned as different from what the originating host might have expected. Examining response data patterns can identify the tell-tale signs of this type of attack.
Harden your recursive servers. Whether through architecture, access controls, or physical device features, there are several ways to protect recursive servers from unwarranted access and tampering.
Block DNS tunneling. The attack used DNS tunneling to establish command and control links within the victim’s networks. While there are some legitimate uses for DNS tunneling, when paired with other suspicious activity it can quickly indicate the presence of malicious actors.
What BlueCat customers should do
BlueCat DNS Edge customers are already collecting DNS query and response data, enabling them to both investigate suspicious queries and uncover abnormalities on their network.
Review response data patterns. DNS Edge currently provides visibility into the query response data. Later this month, BlueCat will introduce the visibility into Authoritative Nameserver data as well. Examining the response to a query can help uncover where answers came from (authority) and pointed to (IP address) - both critical pieces of intelligence when attempting to identify DNS hijacking activity.
Create policies on authority or response details to a query. DNS Edge can block or monitor registrars with poor reputations. Even implementing these policies on a temporary basis can help to identify patterns of activity associated with this threat pattern.
Create policies for purpose-built (IoT) devices. In addition to limiting DNS response capabilities by device type, the security policies in DNS Edge can limit responses and Authoritative Nameservice providing the response to IoT devices.
Use a hardened recursive server. BlueCat’s recursive servers are hardened to prevent against unwarranted access and tampering.
The power of Enterprise DNS
BlueCat’s Enterprise DNS solutions offer powerful tools to identify and protect against even the most sophisticated uses of DNS as an attack vector. With service points to collect comprehensive logs of DNS traffic (including response data), the ability to block DNS tunneling on a targeted basis, and hardened recursive server design, Enterprise DNS is a powerful arrow in the quiver for both network and security teams.