In my last blog, I reviewed some of the major security trends in 2013. Today, I want to turn an eye to 2014. If you haven't read it yet, Zscaler recently published its 2014 Security Cloud Forecast. One of our predictions is that DNS will become more central to cyber attacks and cyber security.
The high-profile attacks are an indication that even major organizations (with major security budgets) are seeing attackers in their networks, often for a long period of time. That doesn’t mean that these are the only networks being compromised, just that those attacks made the headlines.
Assume, then, that attackers are waltzing in and out of your network. How could you know that was happening?
Attackers have been using DNS trickery to set up their command-and-control servers and keep them under the radar. Analyzing DNS traffic—an infrequent practice for most companies—can help you see evidence of these attacks.
Specifically, look for young domains, odd domains that only a few IP addresses are querying, and a preponderance of failed lookups. Attackers attempt to keep their command-and-control servers under wraps by registering new domains; defend against this by blocking domains that are less than 24 hours old. Look for traffic to unique and esoteric domains; a lot of traffic to an odd domain from one or two internal systems could well indicate communication with a command and control server. (Since malware moves laterally through the organization, don’t restrict your DNS detective work based on the number of client systems accessing the domain.)
Finally, look for failed lookups. These could indicate new malware infections as the newly infected system strives to call back and download more malware, trying a large number of domains without reaching them (which is consistent with the pattern of attackers setting up and tearing down domains to avoid detection, often using domain generation algorithms to create new random domains). Since the ability of the malware to reach the command-and-control server is critical, the malware is designed to persist until it reaches a valid domain, trying and failing as many times as needed.