Previously, I blogged about what DNS tunneling is and how it is used by criminals and malware for data exfiltration out of your network. We also talked about a couple of strategies for detecting this tunneling activity, by volume or by signature. As we noted at the time, these strategies for DNS tunnel detection are accurate, fast, and have no impact in performance. If you’d like a review, here is the link to the previous blog.
These tunneling detection techniques are quick, and very effective. However, they rely on a signature of activity in order to determine that a given request is part of a tunnel. Given the dynamic nature of today’s threat landscape, we also need a way to dynamically detect DNS tunnels and zero-day data exfiltration over DNS based on their behavior. Today, I am excited to announce the release of Infoblox’s first behavioral learning analytics solution, Infoblox DNS Threat Analytics.
DNS Threat Analytics represents a huge new capability for Infoblox and demonstrates yet another successful technology concept that was developed by our Advanced Technology Group and productized by our engineering team. In fact, the ATG team has built a dream lab for DNS threat research over the past few years.
In our lab, the team has created a modern big data architecture for processing terabytes of raw data, sifting through it with the latest analytics techniques, and surfacing the latest DNS threats as they begin to happen. Into this digital playground, the team introduces more than a terabyte of new DNS data from the internet every day.
Figure 1 shows a snapshot of threats (in this case, DNS tunnels) the team found on the internet on a typical day.
With these data and tools, the team has developed many algorithms for detecting interesting DNS traffic based on the pattern of requests being made by DNS hosts. The various techniques developed by the team using real DNS data are then used to train streaming analytics modules that can detect these behaviors directly onboard Infoblox DNS serving grid members.
These science experiments have yielded a ton of useful tools and techniques, many of which are already part of Infoblox security products. We’ve decided to focus on DNS Tunneling and data exfiltration over DNS for our first full-blown analytics module for one simple reason – it is one of the most dangerous problems facing enterprises worldwide, and one that there are no other good solutions for stopping or detecting. Our research has clearly shown that the only workable solutions for detecting DNS tunnels, especially ones that leverage A or AAAA labels instead of large chunks of text sent in TXT records, requires a machine learning approach. This means that things like Next Generation Firewalls and Intrusion Prevention products simply can’t retain or process the amount of data needed to detect the threats.
OK, but how does this all work? First of all, our streaming analytics module is built directly into your Infoblox DNS server. The protections work right alongside our existing DNS security solutions. So once our External DNS Security module (if present) decides that a given request is not a DDoS or protocol attack, and the DNS Firewall makes sure that the target isn’t on a known threat list, all queries and responses are evaluated by our Analytics model.
If the request is deemed to be tunneling, then the server will add it to the BIND RPZ zone of your choice. This gives the administrator the ability to log, block, or redirect any tunneling request instantly, on any Infoblox DNS FW or Internal DNS Security equipped appliance. So your entire enterprise is instantly protected from any further DNS tunnel/data exfiltration to that destination, and you are alerted of a possible security incident.
The model itself uses many factors to determine if a given set of DNS queries is tunneling or legitimate DNS traffic. Each of these factors is weighed by how important they are to to overall decision, and at the end all the scores are added up. If they reach a certain threshold, then the session is declared tunneling. In plain english, the algorithm works by looking to see how much data (entropy) is contained in the query.
So queries like “tht534x8001xrtuzka” are much more interesting than “host” or “11111111000011”. We will also look much more closely at destination DNS servers that are receiving a very high frequency of such requests. After all, normally DNS queries are cached. It is very unusual for a large number of requests to a single domain to go uncached.
However, these factors alone cannot predict tunneling. Many hosts on the internet use very long hostnames, and these destinations can be quite popular. The best example is a content delivery network, but there are many others. So additional steps must be taken to ensure that these types of hostnames are not mislabeled as tunnels. We can do this by examining the lexical and n-gram features of the request to see if it looks like it’s an encoded string or if it is natural language. This will filter out things like “server1_rack5_row17_floor3_fifth_ave_NY_NY_USA_NA.company_data.content_network.com” and the like.
So how do I protect my network using this new technology? Simply, this technology is baked into our NIOS 7.3 release, which is expected to be available in January. It is also available as a special preview build version 7.2.201 (free for a limited time till 7.3 ships) on our support website today.
Because of the memory and CPU requirements of the analytics algorithms, you’ll need a TE-2200 or larger platforms. If you do not have TE or PT -2200 appliances, there is no need to update your entire Infoblox Grid in order to take advantage of DNS Threat Analytics. The analytics algorithms are designed so that they can be deployed in a recursion layer in the network, instead of at the DNS client edge. So a pair of appliances can be added at the top of your network, and you can effectively block DNS data exfiltration there.
You will want to have DNS Firewall licenses for all your edge servers so that they receive the RPZ update and can block the data exfiltration destinations detected by DNS Threat Analytics. Virtual form factors work great for the Analytics solution, if virtual machines fit better into your enterprise architecture.
In fact, similar techniques can be used to protect networks that have non Infoblox DNS products. Simply add a layer of Infoblox DNS in the forwarding/recursion layer and your network can be protected from data exfiltration via DNS.
I hope this new security capability has you as excited as I am. Closing the door on DNS data exfiltration out of networks will make everyone safer from the impact of data leaks, and make it much harder for malware to proliferate inside your network. I’d encourage everyone to contact your Systems Engineer for help evaluating this technology in your network.
One final note – I have spent all my time today talking about DNS Tunneling and data exfiltration. In the future, the infrastructure of DNS Threat Analytics will enable us to publish more models, and these will detect and protect from various other DNS threats. The future will be exciting!