The ubiquity – and convenience – of mobile devices and the increasing incidence of cybercrime is causing security challenges for most companies that are experiencing diminishing control over where and when employees use their devices. In an ideal situation, a company could implement enterprise security policies and content categorization that always apply – independent of user actions. That’s what we do at Infoblox. Our approach is to protect devices anywhere – on premises, roaming, or in remote or branch offices – without requiring any user authentication or action.
Traditional Security Approaches Don’t Work Anymore
So, what’s going on that’s allowing more malware to get through enterprise defenses? Cybercriminals are always evolving their methods to get around traditional security measures. For example, enterprise security architectures are typically standardized around web proxies and next-generation firewalls. Attackers have worked around these traditional defenses, using DNS to sneak in. In fact, over 91% of malware attacks use DNS (per Cisco 2016 Annual Security Report) in the kill chain.
Although DNS was used initially as the control plane for Command and Control (C&C) servers, more and more hackers are using it as a data plane for payload acquisition or data exfiltration. They also are using DNS as a way to evade classical detection with methods like fast flux or DGA (domain generation algorithms).
The implication is that infected end hosts may never issue a web request to the web proxy, which makes proxies useless in protecting the end host. In particular, these approaches have been very effective in targeting point of sales systems (PoS) to load malware and exfiltrate data.
Standard solutions are reactive and deliver protection very late in the chain. To deal with increasingly sophisticated malware, it is much more effective for enterprises to adopt a proactive approach and mitigate attacks at the very first step in the kill chain – DNS.
DNS at the Center of the Storm
A lot of organizations mistakenly believe that they are protected “by design” with internal DNS roots (as I explain in a previous blog) with SaaS, DNS relying only on reputational protection or because the normal process for an end host is to use a web proxy.
Unfortunately, this is not the case, as most major threats use DNS. Infoblox provides a useful tool, Data Exfiltration Demo Portal, to help you evaluate if your organization might be vulnerable to attack, including the following:
- Data infiltration: DNS is used as an open transport layer. A public authoritative DNS server stores malware payload encoded on TXT records. The malware then acquires and combines the data from several DNS responses.
- Data exfiltration: DNS is used as an open transport layer. The infected end host will facilitate data exfiltration two ways; 1) as a prefix in queries; e.g., encoded-base32-data.exfiltration-domain.com; and 2) in a TXT record txt-data; e.g., data1.exfiltration-domain.com TXT base64-encoded-data. A public authoritative DNS server then logs all the queries and rebuilds the original data.
- Domain generation algorithm (DGA): The malware locates its C2 server relying on domain names instead of IPs. The malware uses a built-in algorithm to determine which domain name should be used. Using such algorithmically generated domains allows the malware to evade firewalls and IPS IP blocking. More information on DGA is here.
- Fast flux: Malware communication relies on domain names; TTL for A records returned is very low, allowing for the IP used to change quickly. It allows attackers to evade firewalls and IPS IP blocking. To learn more about detecting new threats that don’t have any history, check out this archived FB live session with two Infoblox experts.
We have also observed increasing usage of:
- NOD lookalike: It is Newly Observed Domains that “Lookalike” other domains. These are like “bankofamerial.com” or “goggle.com.”. These can be phishing sites or hijacking attempts. It can be based on user mistake or visual confusion on a hyperlink as Krebs on security detail it well here
Infoblox Protects Anywhere
Infoblox’s approach is to protect devices no matter where they are being used – on premises, roaming, or in remote or branch offices without requiring any user authentication or action.
To deliver protection anywhere, the Infoblox ActiveTrust solution can be deployed in multiple ways, including on premises and off premises. On-premises, you can use Infoblox NIOS appliances to protect and identify the infected end host. Also, a complementary container or VM (DNS forwarding proxy) can be deployed to forward internal DNS queries to your existing internal DNS architecture and all other DNS queries to Infoblox ActiveTrust Cloud.
Off-premises, you can leverage ActiveTrust Endpoint to protect devices. A Windows and MacOS client agent can be deployed using SCCM or McAfee ePO.
Enforce Custom Security and Content Policy
ActiveTrust leverages threat intelligence and advanced machine learning that can be configured to protect your organization, enforcing its custom policy of log, block or redirect. The solution provides:
- Reputation feeds that include domain names and IP by category of malware, such as MalwareDownload, MalwareC2, ExploitKit, Phishing, CompromisedHost, Bot and APT
- Machine learning, using neuronal networks and advanced AI, to detect and mitigate data infiltration, data exfiltration, domain generation algorithms, fast flux and NOD lookalike
- Partnership with leading content categorization vendors, such as McAfee, to categorize content and enforce policies at the DNS level
The image shown below illustrates content categorization capabilities available in ActiveTrust.
Gain End-to-End Visibility
For your on-premises network infrastructure, visibility is provided up to the end host IP, even with complex, multilayer DNS architecture. And for devices that are off premises, ActiveTrust Endpoint sends device name and MAC address with each DNS request. In addition, the solution’s Cloud Service Portal provides a single pane of glass for all security events.
Leverage Integration and Automation
Because Active Trust traces the end host IP or device name and MAC address on and off premises, response action can be taken by third-party security solutions, including:
- SIEM: Fully qualified events are shared with SIEM along with threat intelligence and network intelligence data (IPAM metadata) allowing response teams to identify, prioritize and organize the response to infection campaign (see the Splunk application example)
- Vulnerability assessment: A device audit can be triggered on demand when a security event is detected by ActiveTrust
- Network access control (NAC): Infected devices can be automatically put into a quarantine network until IT teams can perform manual remediation
- Next-gen endpoint: End host IP and (malicious) requested fully qualified domain name (FQDN) are sent to the next-gen endpoint solution, which identifies which process has triggered this request and can terminate it locally and quarantine it on all devices within the organization
The image below illustrates the breadth and coverage of Infoblox Partner Ecosystem.
A Comprehensive Approach to DNS Security
Traditional approaches to security are no longer effective, requiring companies to rethink their enterprise security architectures. One very effective place to start is with a DNS security solution that covers you both on-prem and off. Infoblox makes it easy with Active Trust, which integrates with your existing security solutions and shares threat intelligence – strengthening your overall security posture.
