On January 10, the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) released a public alert about a DNS hijacking attack against telecoms and internet service/infrastructure providers. The attack was designed to gain unauthorized access to data held by government and sensitive commercial entities across Europe, North America, Middle East and North Africa. The attack involved an intimate knowledge of the target’s networks. Early reports speculate that state-level actors may be involved.
What is DNS hijacking? The current wave of DNS hijacking attacks involve unauthorized changes to the delegation structure of domain names, replacing the addresses of intended servers with addresses of machines controlled by the attackers.
DNS used as an attack vector
While the attackers used different methods to compromise each network, the common thread was DNS. The attackers used “man in the middle” attack techniques to insert themselves into various parts of the resolution chain between servers, thus compromising DNS services.
In some instances, the attackers hijacked the corporate accounts of victims in commonly used DNS proxy services. Using freely available tools, they then changed the certificates to redirect traffic to a domain controlled by the attacker. Since the certificates were legitimately created and associated with a known proxy service, the DNS query appeared legitimate and successfully masked the DNS redirection at play.
What can you do?
Monitor your DNS traffic. Detecting sophisticated attacks like these requires an equally sophisticated level of visibility into DNS traffic. Research shows that 60% of companies don’t look into their DNS records at all.
Check DNS response data. Logging outbound queries is the first step, but ideally you’re going to want response data as well. In this particular attack, the response data was different from what the originating host might have expected. Examining response data patterns can identify the tell-tale signs of this type of attack.
Harden your recursive servers. There are several ways to protect recursive servers from unwarranted access and tampering, including architecture, access controls, or physical device features.
Block DNS tunneling. The attack used DNS tunneling to establish command and control links within the victim’s networks. While there are some legitimate uses for DNS tunneling, it can indicate malicious activity when paired with other suspicious activity.
What BlueCat customers should do
BlueCat’s Intelligent Security customers are already collecting DNS query and response data. This enables them to both investigate suspicious queries (to malicious websites, for example) and uncover abnormalities on their network.
Review response data patterns. Intelligent Security currently provides visibility into the query response data and Authoritative Nameserver data. Examining the response to DNS queries can help uncover where answers came from (authority) and pointed to (IP address). These are both critical pieces of intelligence when attempting to identify DNS hijacking campaigns.
Create policies on authority or response details to a query. Intelligent Security can block or monitor registrars with poor reputations. Even implementing these policies on a temporary basis can help to identify patterns of activity associated with this threat pattern.
Create policies for purpose-built (IoT) devices. The security policies in Intelligent Security can limit DNS responses by device type. It can also limit responses and Authoritative Nameservice providing the response to IoT devices.
Use a hardened recursive server. BlueCat’s recursive servers are hardened to prevent against unwarranted access and tampering.
The power of Adaptive DNS
BlueCat’s Adaptive DNS solution offers powerful tools to identify and protect against sophisticated uses of DNS as an attack vector. It’s a powerful arrow in the quiver for both network and security teams, giving you:
- Service points collect comprehensive logs of DNS requests & DNS traffic (including response data)
- The ability to block DNS tunneling on a targeted basis
- The ability to identify suspicious top level domains (TLDs)
- A hardened DNS recursive server design
Learn more about the internet security benefits of Adaptive DNS.