Malicious adversaries are as sneaky as they are intelligent. They have the creativity and ingenuity to create malware and botnets that can bring an enterprise’s entire network to its knees, causing interruption of critical services and compromising sensitive, valuable data.
Bad actors take advantage of domain names to compromise a host and subsequently connect to their backend systems or Command & Control (C2) servers with a specific domain. However, if trying to defend against a botnet, it would be relatively easy to block a single bad domain. For this reason, bad actors will use a variety of domains, making it difficult to block the bad domain - particularly if it’s constantly changing.
Think of it this way: If someone throws you a single tennis ball, it’s easy to catch it. But if someone throws 100 tennis balls your way, what are the chances you’re gonna catch all of them? Enter Domain Generation Algorithms.
Essentially, domain generation algorithms (DGA’s for short) generate a series of domains over time, and always keep their back-end services on the move. When the malware connects with a C2 server, adversaries remain undetected as they gain control of their payload. As far as how often domains are generated, that is entirely up to the adversary, as they can design DGA’s to generate domains whenever they deem fit.
Now while these domains may seem random, they are launched systematically and they do follow patterns that the malware or botnet in question understands. Bad actors can also configure the DGA to generate a new domain at whatever frequency is useful to them - every day, every hour or even every minute. And because the domains are self-generating, the malware can avoid being blocked. By remaining elusive it can, therefore, stay alive and chances are by the time one of the domains is detected and blocked, the malware has already spread somewhere else.
One of the dangers of DGA’s is that they are constantly keeping cyber security professionals and threat hunters guessing, as they try to find a commonality as far as where
the domains are resolving among this mix of random domains.
How can you protect yourself against DGAs?
One solution for detecting and protecting against DGAs lies in the DNS data and monitoring the logs and queries. If you come across a high frequency of non-existent domains, chances are you’re dealing with a DGA.
The malicious domains themselves are also structured differently from non-malicious domains. Malicious domains often have long, seemingly random strings of characters whereas non-malicious domains are simpler to remember. By observing a collection of seemingly random domains, patterns eventually begin to arise either in the domains or in the destinations the domains are trying to connect with. This is one of the ways DNS Edge can detect domain generation algorithms.
So yes, there is a high volume of data to comb through, and these domains do generate an overwhelming amount of network logs. However, there are always strategies, patterns, and hints you can leverage to find that malicious domain needle in the haystack of DNS data.