What are they and how can they be utilized to protect your company from the latest malware or ransomware
“If you think you’re already covered by some other DNS protection mechanism, think again!”
Introduction
When I first joined Infoblox I didn’t know squat about Response Policy Zones (RPZs). This elegant and simple yet highly effective mechanism is the best front-line defense to protect your users from phishing, malware, ransomware and general bad stuff on the Internet. If you think you are already covered by some other DNS protection mechanism, think again! Before you stop reading, give me 10 minutes to share why RPZ and Newly-Observed Domains (NOD) feeds are special and indispensable to your cybersecurity arsenal.
“The RPZ mechanism was developed by the Internet Systems Consortium led by Paul Vixie as a component of the BIND Domain Name Server (DNS). It was first available in BIND release 9.8.1 released 2010, and first publicly announced at Black Hat in July, 2010” (RPZ – wikipedia). This solution was originally called a DNS Firewall, and while catchy, this name can be a bit confusing as it is not really a firewall at all. It’s more like giving the DNS server the ability to bypass its normal behavior of simply handing the client the IP address of the DNS name the client asked it to resolve. It allows the DNS administrator to tell the DNS server to “lie” to the client and redirect the request attempting to reach a “known bad domain” somewhere else. (Paul Vixie and Cricket Liu, Take a Deeper Dive on DNS and RPZ). Response Policy Zones have become table stakes for DNS servers and a foundation of any comprehensive cyber defense strategy. While the DNS experts have been saying this for years, the rest of the cybersecurity community is just now starting to understand how powerful this mechanism can be. (CISA & NSA)
So why am I going on about RPZs and what does it have to do with NOD feeds? Well, you have to understand RPZs before NOD feeds will make any sense. Think of RPZs as the record player and threat intelligence data (usually delivered as feeds) as the records that you can play on the record player. (see RPZ Sidebar)
RPZ Sidebar
The brilliance of the Response Policy Zone (RPZ) is the use of the underlying DNS infrastructure. There are three (3) basic components to RPZs.
- Threat Intelligence Data
- Distribution of Threat Intelligence
- Policy Enforcement
The Internet Systems Consortium (ISC) created a special DNS zone called a Response Policy Zone (RPZ) that allows for the use of domains or IP addresses to be stored. This DNS zone also allows the administrator to create policies to take an action (log, block or redirect).
It’s important to mention that this mechanism only protects traffic that is destined for the Internet (outbound recursive traffic). So, when any device makes a DNS request to the Internet, this zone is checked. If found in the Response Policy Zone, it will take action on the policy defined.
All zones and policies are automatically updated through the DNS infrastructure. Threat intelligence data can be free feeds or paid feeds and you can even create custom feeds. Typically, the paid feeds can be configured to automatically update, while the free feeds may require more manual updates.
“If you take nothing else away from this article, take this – when examined and tested, curated DNS threat intelligence feeds have less than a 11% overlap of unique domains.”
Okay, so now that we have an understanding of RPZs established, let’s get into the threat intelligence that is used to power an RPZ. There are MANY sources of threat intelligence, ranging from free, public, government and paid sources. Usually, you get what you pay for and the degree of unique, curated, timely and accurate threat intelligence is normally proportional to how much it costs. This cost can pay major dividends if you are blocking real threats with a high degree of confidence that will protect your organization and not trigger countless false positive tickets. The last thing you need is to burden your overworked SOC team even more! Premium threat intelligence vendors package their threat intelligence data into feeds which automatically push and update threat intelligence data via industry standard DNS zone update mechanisms. This automates the process of delivering and updating threat intelligence data used for RPZs.
If you remember only one thing from this article, take this – when examined and tested, curated DNS threat intelligence feeds have less than an 11% overlap of unique domains. Casting a large net of threat intelligence at the DNS layer ensures you have comprehensive coverage as each feed provides a unique view of the overall threat landscape. This is because every threat intelligence vendor has their own process when it comes to how they gather and curate IoCs (Indicators of Compromise); NOD feeds are an important piece of this puzzle.
“NOD feeds are the missing link against zero-day attacks we’ve needed for years and never had.”
Secret Weapon
A Newly Observed Domain (NOD) feed is a threat intelligence data feed that includes a list of recently derived hostnames. These might be derived from their registration (via registrars) or have been recently observed as traffic not seen on the internet before. There are several companies that produce NOD feeds, but today I want to talk about one in particular – the Farsight NOD feed. This company was recently purchased by DomainTools and was founded by none other than Paul Vixie, the inventor of the RPZ. This company produces an extraordinary amount of unique data. As with all our providers, our intelligence team normalizes the feed before delivering it to our customers in an easily consumable manner. So, why is this a big deal? Well, intelligence requires time to research and validate. After a new domain is first seen, it takes time to identify and categorize before it’s finally added to the correct feed like Command and Control (C&C) or ransomware.
The NOD feed assumes a domain is guilty until proven innocent and keeps the newly observed domain in the feed for a 72 hour time to live. By the end of the 72 hours, hopefully the domain has either been categorized as malicious or been deemed to be benign and no further quarantine action is required. Now before you scoff at the possibility of a new domain that your company may need to reach being blocked, the risk/reward of this process is much lower than the devastating impact a zero-day attack could inflict. You can always easily add any new or critical domain to an allow-list so there is no impact on business continuity. In my experience this is extremely rare.
Having an NOD feed provides a much larger net that will block millions of new, unique domains should they be malicious in nature. While most people are dependent on their firewall or DNS protection vendor to quickly identify and categorize the zero-day IoC, your company will already be protected by having the NOD feed in place.
Give it a NOD
So, to summarize, if you are not using DNS RPZs today, don’t wait! Having this setup configured correctly sweeps the knee of the bad guys and can eliminate a large number of incidents early on before they even get to the Firewall. I’ve had customers tell me that RPZs lower Firewall activity by as much as 60%. Any DNS-based protection is better than none, so do what works for your budget, and take some action to let the DNS system work for you.
Once your RPZs are in place, take a hard look at Newly Observed Domain feeds as they can provide unparalleled and proven early protection against zero-day attacks before they are able to harm your organization.
Remember: security is simple, so don’t complicate it! Thanks for reading! ADR