A great write up by one of Infoblox’s technical experts, Frank Hecker that I wanted to share as a blog. Very valuable insights on DNS deployment to stop data exfiltration via DNS.
First, if you’re not reading Brian Krebs’ blog “KrebsonSecurity,” you should be; it’s one of the best, if not the best, sources of news about real-life criminal hackers and their attacks. His recent “insider story” about an investigation into a security breach at a retailer (similar to the recently-publicized attack on the point-of-sale systems at Target), titled “These Guys Battle BlackPOS at a Retailer,” includes this interesting paragraph.
We were never able to figure out how they egressed the data. The only protocols that were allowed outbound were DNS. So if they wrapped the stolen data up in outbound DNS packets, maybe. We never solved that problem, we were still looking when the engagement ended. We could see it was doing a lot of the work, but we couldn’t see it was actually leaving the organization.
In other words, they didn’t have much visibility into what was going on with DNS, and didn’t have any real way to detect and mitigate the use of DNS to tunnel malware-related traffic back to the attackers.
This is one of the things that Advanced DNS Protection is intended to address: If Infoblox Advanced Appliances with ADP (PT-1400, PT-2200, or PT-4000) are deployed inside the network to serve as recursive resolvers for internal DNS clients, then they can analyze DNS queries originating from PCs and other systems and identify signs that such queries are being used to exfiltrate data from the network. As noted in the Advanced DNS Protection description:
For tunneling, Advanced DNS Protection drops the DNS tunneled queries with the ability to throttle so that legitimate usage of that DNS tunneling technique for AV updates, as an example, goes through.
There can be a slow trickle of data exfiltration via DNS with ADP. So while ADP cannot completely eliminate use of DNS for data exfiltration, it can at least make it more difficult, and allow potential cases of DNS tunneling to be identified and investigated. This includes identifying
- The true source IP address of PCs that may be infected (if Infoblox is used for first-tier DNS resolution instead of Microsoft or some other DNS server)
- The MAC addresses of the infected PCs (if Infoblox is used for DHCP)
- The switch ports to which the infected PCs are connected (if Infoblox Network Insight is used to collect and collate network-related data)
Infoblox DNS Firewall also can play a role here, and can be deployed on Infoblox Advanced Appliances with ADP that are used as recursive resolvers. As with ADP itself, DNS Firewall cannot completely eliminate the possibility of DNS tunneling: It works only with known malware sites, and cannot detect DNS tunneling done to a previously unknown site. (Although the Infoblox DNS Firewall – FireEye Adapter can help here, since it can inform DNS Firewall of malware-related domains and IP addresses that are identified internally and may not yet be known to commercial malware analysis firms.)
Also, even with a known site Infoblox DNS Firewall cannot completely cut off DNS tunneling traffic, since by design the underlying RPZ technology applies its checks based on the DNS response and not on the DNS query—in other words, after a DNS query with tunneled data has already exited the network. However Infoblox DNS Firewall, like ADP, can help identify the presence of malware-related data exfiltration traffic and its sources, since DNS traffic related to known malware domains or addresses will result in an alert being flagged.
A final thought: Some organizations may try to address DNS tunneling solely at the gateway(s) between their internal networks and the public Internet, using Infoblox Advanced Appliances with ADP acting as forwarders in the DMZ, or using general-purpose firewalls that can do DNS packet inspection.
This approach may detect the presence of tunneling attacks and help mitigate their effect, but will make it difficult to identify their source, since at the gateway(s) it is likely that the only information available about the suspect DNS queries is the IP address of the lower-level DNS server(s) that forwarded the queries. Discovering the true source IP addresses, MAC addresses, and switch ports of the infected PC(s) in these cases may be time-consuming or even impossible, since it would likely require manually chasing through logs and other data sources, sources which may be incomplete or even nonexistent. (For example, if the organization does not capture DNS and DHCP log data, or doesn’t retain it long enough to use in future forensic investigations.)
The bottom line is that there is no silver bullet that can completely eliminate the possibility of the DNS protocol being used by malware to exfiltrate sensitive data to attackers. However Infoblox Advanced DNS Protection and Infoblox DNS Firewall can help detect the use of DNS tunneling for exfiltration, mitigate its effects, and identify the systems that are the source of the traffic, especially if these and other Infoblox technologies are comprehensively deployed throughout the organization’s networks.