Three is the magic number for DNS threat detection


By Dr Malcolm Murphy, systems engineering manager, Infoblox

No matter who the vendor, all security products which carry out a form of threat detection, including those that protect against Domain Name System (DNS) exploitation, have their foundations in one or more of these three methods – reputation, signature, and behaviour.

DNS is the address book of the Internet, without which an organisation’s networks stop working. Yet DNS is often left unprotected, a fact which, coupled with its inherently weak underlying foundations, hasn’t escaped the attention of cybercriminals.

Reputation is everything

The oldest of these methods is reputation and is the most commonly used for threat detection.

Just as we check a product’s ratings before buying on Amazon, so a reputation-based feed informs enterprise firewalls for threat detection. When shopping, we consider a reputation more reliable the greater the number of reviews there are. Similarly, the reliability, accuracy and credibility of a reputation-based feed is largely based on the number of sources that contribute to it.

But it’s also quality, not just quantity that counts. The real strength for any feed comes from the calibre of the researchers contributing to it. For example, when deciding if a domain should be blacklisted, only researchers know who, if anyone, is guilty by association. At the end of the day, a name is either on a list, or it isn’t.

DNS firewalls can save time and resources in checking both sides of a DNS transaction – queries and responses – against a reputation-based list at every iterative step. No matches and the query is allowed. But DNS traffic created by bad actors will be identified and stopped.

It’s all in the signature

Each online transaction has a unique signature, as does each threat too. All DDoS attacks, for example, that perform in a certain way will have the same marker.

By looking for the specific signatures within every transaction, threat detection systems will prompt decisions on whether those transactions should be passed or denied. Too many identical signatures coming at once will also be denied. While there’s nothing wrong with a TCP handshake, 10,000 per second is likely to be an amplification or floor attack.

It does take time to dissect and understand all aspects of an attack to establish its signature. But once it has been identified, it’s then very hard for cybercriminals to breach protected systems.

Identifying irregular behaviour

By first establishing what normal behaviour looks like, behavioural analytics can then identify abnormal behaviour. Behaviour-based threat detection, unlike with reputation and signature, can be applied to everything that happens, as it happens.

During a typical tunnelling attack or an attempt at data exfiltration, for example, although the DNS queries that are used to transport the data are technically correct from a protocol standpoint, they will look different to legitimate queries that arise from normal usage. 

Entries in DNS are typically meant to be understood by people, which means that they will look and feel like normal language: in terms of length, letter frequency, and other lexical properties.  Tunnelled traffic, on the other hand, has different characteristics.

Sequences of DNS queries will be analysed to see if a certain characters appear together too many times in the same string, e.g.  four sixes in a row, or five sevens. These sequences are important to identify as, grammatically, that’s not how data works. This is what encapsulation looks like, and suggests the presence of tunnelling or exfiltration.

The number of queries made to a particular domain during a certain period, the answers returned, and whether these queries include words also are taken into consideration.

These combined factors provide a behavioural score, which helps determine if DNS traffic is genuine or an exfiltration attempt.

Two is better than one

Each method has its strengths, and some are more suitable for detecting certain threats than others.

So security solutions often use more than one approach concurrently. For example, many firewalls use both signature and reputation, whereas others combine reputation and behaviour to help determine the nature of something executing on an endpoint.

No matter if operating in isolation or combined, the intelligent and analytical approach to identifying anomalies and potential threats in DNS activity that these methods take is essential to stopping these threats before they really become a problem.