DNS and the Challenge of Advanced Persistent Threats

Most cyber attacks are the online equivalent of a smash-and-grab robbery. Criminals tend to leave shortly after finding the information they are looking for, restricting network functionality, or performing an act cyber vandalism.

“Advanced persistent threat” is a term used for the opposite of a smash-and-grab. It’s the “long con” of cyber attacks. A term originally coined by the US military, advanced persistent threats are a breed of malicious network activity that require a new defensive posture. Often used by foreign intelligence services, they are the most common weapon of choice for attacks against critical infrastructure.

In an advanced persistent threat, malware is inserted onto the network and then left there, undetected, for months or even years. During this time, the malware may simply be dormant, or it may slowly search through the network for something worth stealing. When malicious actors decide the time is right, they move into the active phase of the attack, triggering the malware to execute on their long-term plan.

Advanced persistent threats are notoriously difficult to detect, and even harder to protect against. Since this kind of threat is internal and may not ping an outside network, the tactics used by detection software, filters and firewalls aren’t always effective.

Internal Network Defense

As the core of any network’s infrastructure, DNS data can play a critical role in identifying and eliminating advanced persistent threats. Most filters and firewalls are external-facing. They only track and trace malware as it interacts with areas outside the network. A client-facing DNS-based security strategy, on the other hand, can monitor and intercept threats as they move around inside a network.

Using DNS for internal network defense can also help to associate malicious activity with a particular client or server. Where an external-facing firewall, filter, or SIEM might alert IT security personnel that something isn’t right, a client-facing DNS monitoring system will pinpoint the infected computer directly, allowing administrators to take concrete action to mitigate the threat.

DNS infrastructure also offers the opportunity to set policies that can prevent the spread of advanced persistent threats within a network. If malware is designed to scan internal network drives for sensitive data, a DNS policy can prevent those connections by shutting down network traffic that originates from clients without a need to access that information. Even on clients with privileged access to sensitive data, DNS pattern analysis can often detect behavioral aberrations, the signatures of malware, and mitigate the threat.

Advanced persistent threats are a growing concern in the cyber security community – and for good reason. They are designed precisely to seep into network infrastructure in ways that are difficult to detect. A layered security strategy that includes the ability to monitor internal DNS traffic and set policies accordingly offers a stronger defense against this insidious threat.