The Greatest Art Heist in American History
Before we talk about how DNS can be exploited for data exfiltration, let’s talk about the greatest art heist in American history. In the early hours on March 18, 1990, while people were celebrating St. Patrick’s Day, two men disguised as police officers walked up to a side entrance of the Gardner Museum in Boston. They pressed the museum buzzer near the door and stated they were responding to a disturbance, and requested to be let in.
The guard on duty broke protocol and allowed them through the employee entrance. At the fake officers’ request, he stepped away from the watch desk. He and a second security guard were then handcuffed and tied-up in the basement of the Museum.
The thieves were inside for less than 90 minutes and stole 13 original works of art by world-renowned artists such as Rembrandt, Vermeer, Manet, and Degas from their frames. Despite a large reward, 25 years later, there are still no signs of the art work, valued at over $500M. Who pulled off the greatest art heist in American history? It is still a mystery.
Is Data Exfiltration Any Different? Not Really
DNS can easily be used to covertly steal the crown jewels of an organization without anyone knowing that it’s happening through data exfiltration.
Data exfiltration is the unauthorized transfer of data from a computer. The transfer of data can be manual by someone with physical access to the computer or automated, carried out through malware over a network.
Like the art heist, through social engineering, data exfiltration can include an insider who unknowingly assisted the intruders. Once in, the thieves can move laterally through the secure zone causing damage, without being noticed, then circumvent the typical path to the organization’s valuable assets.
DNS is increasingly being used as a pathway for data exfiltration, either by malware-infected devices or by malicious insiders.
The nature of the DNS protocol, which was invented more than 30 years ago, is such that it is trusted, yet vulnerable to hackers and malicious insiders. This is why DNS based malicious attacks are the number one threat vector. Bad actors have an easy way in and also have an easy way out because of the openness of DNS and the lack of DNS controls like inspection of the outgoing traffic.
Organizations are generally loaded with firewalls, intrusion detection systems, antivirus software, data loss prevention programs that inspect TCP (Transmission Control Protocol) and other network protocol traffic. But what many don’t realize is that traditional security measures typically don’t do enough protection against DNS attacks because they leave port 53 in the firewall open. The reason most organizations leave port 53 open and vulnerable is because they want to insure a good flow of traffic and let the legitimate queries out so that the workforce can get to the resources they need. But in reality, what many are doing is installing a state-of-the-art front door while leaving the back window wide open. Bad guys know this and bypass the front door security deployments by transporting sensitive data from inside to outside the organization – through the back window – all over DNS. This often occurs without inspection or detection.
How Data Exfiltration Over DNS Queries Work
An infected endpoint that has some malware on it gains access to sensitive data. This can be the result from some type of spear Phishing campaign targeting one of your employees. The data is then prepared to be transported back to the attackers DNS server by encrypting and converting the data into encoded format to hide the contents of the DNS query. The text is broken into chunks and sent over DNS as hostname.subdomain or TXT records. On the attacker’s side, the exfiltrated data is then unencrypted and reconstructed at the other end. With the data being exfiltrated out, the communication is practically impossible to detect by the majority of perimeter security tools.
Make DNS Your First Line of Defense
Don’t just focus on your perimeter security. You can start making DNS your first line of defense by:
- Raising the awareness of DNS and DNS security vulnerabilities in your organization. Who in your organization is responsible for DNS Security? Have a team or a person chartered with looking specifically at DNS security.
- Leverage threat intelligence to protect your DNS traffic and block malware communication to Command & Control sites. Detect known threats, domains that have a bad reputation and use a blacklist to stop those threats. Most security practices rely on vendor supplied blacklists to block known threats. The threat data found within the blacklists should receive a sufficient level of vetting and intelligence analysis to ensure accuracy to prevent false positives or false negatives.
- Performsecurity analytics on DNS traffic. Outbound DNS traffic is generally ignored. Take a close look at historical and current DNS query logs to identify anomalies or irregular patterns. The use of DNS for Command & Control tends to exhibit timing and payload deviations that might allow you to spot misuse. Look for: large DNS queries with high entropy, large TXT record responses, unusual network traffic such as connections from unexpected IP ranges overseas, and high volume of NXDOMAIN responses (typically a sign of compromise)
- Detect malware on infected devices attempting connections to malicious domains. Know the exact machines making requests to malicious domains. Track down and remediate infections to the source computers
Don’t Become the Next Data Breach Victim
Data theft is one of the most serious risks to any enterprise. DNS is frequently used as a pathway for data exfiltration, because it is not inspected by common security controls. DNS is the perfect enforcement point to improve your organization’s security posture. It is close to endpoints, ubiquitous, and in the path of DNS-based exfiltration. While DLP technology solutions protect against data leakage via email, web, FTP, and other vectors, most don’t have visibility into DNS-based exfiltration. To maximize your chances of fighting back against these data theft attempts, complement traditional data loss prevention protection with a DNS- based security solution.
Infoblox solutions can provide protection against even the most sophisticated data-exfiltration techniques, using unique behavioral analytics and machine learning. The solution leverages a fully integrated hybrid DNS based security architecture that can provide protection for devices anywhere – on-premises, roaming or in remote offices.