Blog Zscaler

Recevez les dernières mises à jour du blog de Zscaler dans votre boîte de réception

What's in a name? The importance of DNS

décembre 16, 2013 - 2 Min de lecture

Contenu

Article
Autres blogs

In my last blog, I reviewed some of the major security trends in 2013. Today, I want to turn an eye to 2014. If you haven't read it yet, Zscaler recently published its 2014 Security Cloud Forecast. One of our predictions is that DNS will become more central to cyber attacks and cyber security.

The high-profile attacks are an indication that even major organizations (with major security budgets) are seeing attackers in their networks, often for a long period of time. That doesn’t mean that these are the only networks being compromised, just that those attacks made the headlines.

Assume, then, that attackers are waltzing in and out of your network. How could you know that was happening?

Attackers have been using DNS trickery to set up their command-and-control servers and keep them under the radar. Analyzing DNS traffic—an infrequent practice for most companies—can help you see evidence of these attacks.

Specifically, look for young domains, odd domains that only a few IP addresses are querying, and a preponderance of failed lookups. Attackers attempt to keep their command-and-control servers under wraps by registering new domains; defend against this by blocking domains that are less than 24 hours old. Look for traffic to unique and esoteric domains; a lot of traffic to an odd domain from one or two internal systems could well indicate communication with a command and control server. (Since malware moves laterally through the organization, don’t restrict your DNS detective work based on the number of client systems accessing the domain.)

Finally, look for failed lookups. These could indicate new malware infections as the newly infected system strives to call back and download more malware, trying a large number of domains without reaching them (which is consistent with the pattern of attackers setting up and tearing down domains to avoid detection, often using domain generation algorithms to create new random domains). Since the ability of the malware to reach the command-and-control server is critical, the malware is designed to persist until it reaches a valid domain, trying and failing as many times as needed.

Merci d'avoir lu l'article

Cet article a-t-il été utile ?

Oui, très utile !

Pas vraiment

Clause de non-responsabilité : Cet article de blog a été créé par Zscaler à des fins d’information uniquement et est fourni « en l’état » sans aucune garantie d’exactitude, d’exhaustivité ou de fiabilité. Zscaler n’assume aucune responsabilité pour toute erreur ou omission ou pour toute action prise sur la base des informations fournies. Tous les sites Web ou ressources de tiers liés à cet artcile de blog sont fournis pour des raisons de commodité uniquement, et Zscaler n’est pas responsable de leur contenu ni de leurs pratiques. Tout le contenu peut être modifié sans préavis. En accédant à ce blog, vous acceptez ces conditions et reconnaissez qu’il est de votre responsabilité de vérifier et d’utiliser les informations en fonction de vos besoins.