Have you seen the film “Inside Man”, where Clive Owen and his team pulls off a successful bank heist, where the police are made to think that nothing got stolen? In a very elaborate way, the “criminals” sneak out the front door at the end of the film with their treasure, and no one notices.
I think about this movie when I keep reading about how cybercriminals are stealing sensitive information from big companies and organizations. It feels like it’s happening each and every week. As with Hilton the other week, and Target not so long ago. Somehow these crooks manage to get their hands on credit card information, identity credentials and other delicate information.
How does this keep happening? It’s one thing getting past the state-of-the-art external protection that these companies have invested great sums of money in. The bad guys just seem to come up with new creative ways to get inside the systems. But once the criminals are in, just like with Clive Owen, how do they get the information out without anyone noticing?
Again, these companies have great protection. They´ve got different types of shell protection that monitors their data traffic, they know who logs in and who sends what. But some of the big challenges are that the criminals encrypt the outgoing traffic, or divide it in to small parts, so called evasion, or using the Domain Name System (DNS) as their way out.
A DNS packet has a max size of 512b (not kb) and a normal, legitimate, packet is about 40-150b. This means there´s room to spare for other data. A package containing credit card numbers and personal information won’t be bigger than 100-200B – therefore allowing villains to do the exfiltration through DNS.
When you consider that DNS requests are made in the thousands per second, the bad guys can manage to extract an entire customer database of sensitive information over a short period of time. The challenge is to determine what’s good and bad in these massive traffic volumes.
So how do you do that? Well, there’s really no existing security product that does a very good job of stopping this, and next generation firewalls, with all their deep packet inspection and application identification, can’t tell you if there’s sensitive data going out via DNS.
What should an enterprise do? Real-time analysis is very important, and to understand normal traffic flow looks like in order to pick out discrepancies. Being able to inspect the content as well as read the encryption methods is also incredibly important. In short, react to any anomalies. Customers of Infoblox, of course, have these tools at their disposal for combating this threat.
The cyber criminals have the knowledge. And they are very creative. We need to catch up, take off the blindfolds, so that we can react before a cyber-Clive sneaks out the front door with your sensitive data, without you suspecting a thing.