One of the most common attack vectors today is the exploitation of the domain name system (DNS). DNS is widely...
used, highly trusted and easy to exploit. In particular, advanced persistent threat (APT) attacks are becoming more popular because they can penetrate deeper into networks and do more damage than previous generations of malware. Once APTs have infiltrated a network, they use DNS servers to "call home" to remote command-and-control centers and download instructions on how to subvert operations or steal data on the network.
Attackers have used APT attacks in high-profile events involving retail chains such as Michaels and Kmart, as well as banking and finance giants such as American Express and JPMorgan Chase. They are expected to continue to spread into many industries, including education, government, healthcare and telecom/IT.
Attackers use APTs because they can overcome traditional modes of protection; APTs are designed to spread, morph and hide within IT infrastructure, patiently waiting to perpetuate long-term attacks. It is possible to stop them, however, if you understand how they work.
Initial infection: Initial infection occurs in one of three ways:
- Attackers send malware emails to recipients within an organization. An example of this type of infection is Cryptolocker, also called ransomware, which targets Windows-based PCs and masquerades as attachments within seemingly legitimate emails. Once a recipient opens the attachment, Cryptolocker encrypts files from local hard drives and mapped network drives. Unless you pay a ransom, the malware deletes the encryption key and your data becomes irretrievable.
- Attackers infect a website known to be frequented by people from the organization via DNS. An example of this was the highly publicized Gameover Zeus, a peer-to-peer botnet that, once in the network, uses P2P communications to control infected devices.
- Attackers infect the network through a direct physical connection, such as via an infected USB drive.
Downloading the real APT: Once inside the organization, in almost all cases, the first key action the malware performs is to download the real APT from a remote server using DNS. The real APT is far more capable of carrying the malicious intent to fruition than the initial infection.
Spreading and calling home: Once downloaded and installed, the APT disables antivirus or similar software running on the now-infected computer. Unfortunately, this task is not difficult. The APT then typically gathers preliminary data and contacts a command and control server using DNS, to receive instructions on what to do next.
Data exfiltration: A successful APT may identify terabytes of data that the attackers will want to see. In some cases, the APT exports data via the same command and control servers from which it received instructions. However, often the bandwidth and storage capacities of the intermediate servers are insufficient to transmit the data in a timely fashion. In addition, the more steps involved in transferring the data, the more likely someone will notice. Consequently, the APT often contacts a different server directly, essentially a "drop box" for data, to upload all of the stolen data. DNS is used in this final stage as well.
Clearly DNS is an ideal target for APT attacks, and unsecured DNS poses a huge liability for organizations. However, this problem is remediable. If you can secure your DNS servers, you can detect and prevent APT attacks. Securing DNS involves a few key practices including staying up to date with the current threat landscape; using Dynamic Host Configuration Protocol fingerprinting to gather intelligence on infected endpoints, so you can easily clean them up; and employing actionable reporting and logging that help you to prioritize security and remediation efforts.
With companies across all industries being targeted by APT attacks, this attack vector is on the rise. The reality is that APTs are capable of great harm and can take an organization offline for hours at a time. As long as DNS is left unprotected, your network is at risk for a data breach. The more you know about APTs and the more intelligence you receive in real-time about malicious attacks, the easier it will be to protect your organization and your network from cybercrime.
About the author
Cricket Liu is executive vice president and chief DNS architect at Infoblox.
Review the types of DNS attacks
Confronting IP address problems
Securing DNS resolvers
Dig Deeper on Network Security Best Practices and Products
Related Q&A from Cricket Liu
How to add an SPF record on Windows 2000 DNS Server to counter "Your domain does not have an SPF record" warning message. Continue Reading
Networking expert Cricket Liu explains what causes this error: ipnathlp event 31002 and why it is bad for TCP/IP. Continue Reading