I had a great conversation with Logan Kleier at the GigaOM Structure conference a couple of days ago. Logan is the Chief Information and Privacy Security Officer for the city of Portland. On the topic of advanced persistent threats (APTs), Logan mentioned how hollow the FUD that different vendors kept pitching to him sounded, and how each pitch pointed out yet another exposure that others did not cover.
All they really did, he said, was give the impression that there is no way to fully protect against APTs because the list of what-ifs never ends, even after emulation, sandboxing, and applying layers of security at the host and network. And at what cost?
I think one of the things security purists miss is that eventually this boils down to risk benefit analysis. It begs the question of how much pain and money enterprises are willing to bear to address the insurmountable targeted-threat attack vectors. Is it feasible to have all the traffic routed through deep inspection, analytics, and encryption? What about usability, performance and latency aspects of the business needs?
Or is there a smarter way to protect against APTs?
As it turns out, working smarter instead of harder helps solve the problem to a large degree. And the key is in looking for the footprints or the trail that malware leaves behind. One promising evidence trail to follow is the use of DNS to reach out to bad destinations and command-and-control sites. DNS Firewall is a lightweight but very effective way to address that.
DNS Firewall has recently demonstrated its ability to do that effectively, pulling off what I call the “hat trick”—scoring wins against three types of much-talked-about malware in only a few weeks.
1. Dyreza
Dennis Fisher, writing in ThreatPost, describes a new piece of banking malware called “Dyreza,” which he points out is targeting many major online banking services, including:
- Bank of America
- Natwest
- Citibank
- RBS
- Ulsterbank
The way the Dyreza code works is similar to the way the ZeuS code works, and like most online banking threats, it supports browser hooking for Internet Explorer, Chrome, and Firefox and harvests data at any point where an infected user connects to the targets specified in the malware.
DNS Firewall had this in its feeds before Dyreza became commonly known. Due to the nature of the malware, a lot of the feed content that is proactively added to the DNS Firewall is not published or called out, but is actively protecting our customers.
2. Gamover ZeuS
UAE ranks third in a list of countries most affected by the GameOver ZeuS (GOZ) botnet. U.S. FBI cracked a botnet that was spreading the GameOver Zeus malware kit, which had stolen personal and financial data worldwide. According to The Independent, more than 15,000 machines in the UK are believed to have been infected by a cybergroup based in Russia and the Ukraine.
The FBI believes GameOver Zeus has been responsible for $100 million in losses. In addition to searching for personal credentials for the purpose of financial theft, the kit also drops the CryptoLocker ransomware program, which encrypts all files on a target’s computer, including personal photographs, and charges £300 ($500) to unlock them.
In instances of both Gameover Zeus and Cryptolocker, DNS Firewall protected customers by stopping communications to bad destinations.
3. Blackshades RAT
In our May 20 blog titled “Protecting from Creepware Using DNS Firewall”, Balaji Prasad talked about the Blackshades remote access tool, or RAT, which targets Microsoft Windows-based operating systems and allows cybercriminals to take control of your computer. Once inside, they can spy on you through your Web camera, steal your files and account information, and see what you are typing.
As with Dyreza, we had identified the threat and were protecting our customers from it before its existence was commonly known. Currently we have over 13,000 domains related to Blackshades in the DNS Firewall feed. And by cracking the domain generation algorithm, we pre-populated potential domains they could use!
That’s a hat-trick! The smart (and cost effective) way to protect against rapidly emerging APTs could be much simpler than you think. (Hint: DNS Firewall)