Cyber-criminals are constantly waging a cat-and-mouse game with threat researchers. Across the world, cyber-criminals rapidly create malicious domains as a base for launching cyber-attacks against organisations’ Domain Name System (DNS) infrastructure.
During this planting phase, there is a significant increase in the number of malicious domains associated with exploit kits and malware, the creation of which is monitored by the Infoblox DNS Threat Index.
In the second harvesting phase, the attackers start reaping the reward of the malicious domains they have created by launching attacks, stealing data, and generally causing harm to their victims. Traditionally, the number of malicious domains created will dip during this second phase, but recently the trend has changed. After dipping in Q3 2015, the Infoblox DNS Threat Index found the number of malicious domains created had rebounded in Q4 2015 to 128 - close to the record high of 133 seen six months previously in Q2 2015.
While it’s too early to judge definitively, it may indicate that we have entered a new phase of simultaneous and sustained planting and harvesting efforts, taking us into unknown territory.
The rise of the exploit kit
It appears that exploit kits have truly cemented their place as a popular purpose for those creating malicious domains. In Q4 2015, for example, Angler continued its reign as the top threat, although there was also an unexpected resurgence and rapid rise in use of the RIG exploit kit, illustrating how cyber-criminals are adapting older kits in order to implement new techniques and target new locations.
Exploit kits typically take advantage of vulnerabilities or security holes in browsers, operating systems, and popular software such as Java and Adobe Flash. Users are then exposed to the kits (and their payloads) either via spam or malvertising on compromised websites.
When an exploit kit is successful in delivering its payload onto a victim’s device, that payload is then able to operate behind the company’s or service provider’s firewalls. The exploit kit’s malware can spread to other devices on the network, and also communicate back to its command-and-control (C&C) server to download more malicious software or exfiltrate data. Very frequently, this communication between the C&C server and the infected device requires the use of DNS.
Exploit kits, along with command and control malware, phishing and other threats, use DNS as their backbone to achieve their final aims, whether that is mass malware infection or data exfiltration. It is therefore essential that organisations build security into their DNS infrastructure and share threat intelligence between network and security solutions to effectively mitigate these threats.
Securing DNS infrastructure
Deploying effective internal DNS security solutions can help protect against malware and advanced persistent threats (APTs) exploiting DNS and prevent the exfiltration of data using this vector, all without needing to change an organisation’s network architecture. Using a threat intelligence feed, kept up to date of known malicious destinations, an internal DNS security solution can monitor for, detect and stop DNS attacks, whether they be cache poisoning, or DNS tunnelling.
Employing DNS response policy zones (RPZs) on internal DNS, running in conjunction with threat intelligence, for example, enables a DNS appliance to intercept DNS queries associated with known malware and APTs. This effectively blocks the threat by interrupting communication with its external C&C servers and other botnets.
The internal solution should also be able to detect and prevent data exfiltration via DNS tunnelling. Establishing query thresholds, the solution will be able to detect any large UDP/TCP queries and responses, especially those repeated within a specific timeframe, to impede DNS tunnelling attempts. The solution then also cuts connection with any C&C servers, preventing them from exfiltrating data using standard network protocols, whilst reducing infections and preventing malware from breeding in the network at the same time.
DNS is too critical a component of network architecture to be left vulnerable. With exploit kits and other attack vectors exploiting its weaknesses to use it as a vehicle for their own pursuits, it is essential that organisations consider how they can use the intelligence garnered from their DNS to help secure their networks. By taking back control of the DNS, organisation can transform it from a network vulnerability into a great security strength.