1 WHITEPAPER How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware
2 How a DNS Firewall Helps in the Battle against Advanced As more and more information becomes available and is stored in electronic form, Advanced Persistent Threat (APT) actors will focus increasingly on breaching those networks and systems on which such data treasuries can be found. The definition breaks down into advanced, meaning that intelligence is gathered beforehand about the target, while persistent refers to consistent monitoring and interaction of the target organization in order to achieve the goal. The threat is that the actors are well-backed financially, are motivated and organized, and have intentionality and capability with specific objectives. These targeted attacks are more purposeful, resourceful and sophisticated than others experienced in the recent past. Though the incidence of these types of attacks is, as yet, small in comparison with the more familiar, automated or commoditized, broadly targeted electronic assaults, Advanced Persistent Threats can pose a much more serious menace to you and your valuable information. The Infoblox DNS Firewall can play a critical role in reducing the risk of data loss (or other damage) from Advanced Persistent Threat (APT) attacks, whether these are made for commercial criminal reasons or are driven by states/state-supported actors. While we acknowledge that there is no single magic bullet to protect against all such attacks, proper implementation of the Infoblox DNS Firewall will help to: Reduce the risk of initial infection Limit the spread of the infection Impede data exfiltration, and Result in earlier detection of APTs and thereby remove the persistent nature of the attack In order to explain how the Infoblox DNS Firewall helps protect against APT attacks, let s first examine the ways such attacks progress successfully from start to finish when no effective defense is in place. The Ideal APT attack When seen from the attackers point of view, the ideal APT attack occurs in four discrete stages, each of which is serially dependent on the successful execution of the stage preceding it. First, the malware must infect a victim, usually in one of three ways via a forerunner. Secondly, the actual APT must be downloaded into the victim. Third, the APT must call home and decide how far, when and where to spread. Lastly, in the fourth stage, the APT seizes its prize your valuable trove of data and exfiltrate it by uploading it to one of its collusive servers. Let s look at each of these four stages in detail to see just how APTs achieve their nefarious goals. 1 WHITEPAPER How a DNS Firewall Helps in the Battle against Advanced
3 Stage 1 Initial infection Generally, attackers infect an organization with their malware in one of three ways: a) by sending malware s to persons within the organization; b) by infecting a website known to be frequented by people from the organization, commonly called a watering hole; and c) by direct physical connection. A) s attacks generally involve sending a plausible that contains either an initial malware executable (embedded in, say, a PDF document) or a link to an executable on a server. The initial infection begins the moment the recipient opens the attachment or clicks on the link, assuming his system is not protected against the attack vector. Since, typically, most attacks occur on zero-day, chances are very good that his system will not be protected. B) Watering Holes The infection may be made directly to a specific site wellfrequented by the users of the targeted organization for example, by exploiting a particular vulnerability in a known part of the base system (e.g., joomla or wordpress) or the infection may be encapsulated in one or more of the ads served on the site. In the latter case especially, smart attackers ensure that the malware is served only to computers whose IP addresses correspond to the external addresses of the organization in question, thereby reducing the likelihood of detection. The basic tactics of social media hacks, such as Facebook links, are essentially the same as those used in these watering hole infections, even though the context may be slightly different. C) Physical Connections Another effective but comparatively rare method of infection is by introducing the initial malware directly through a physical connection via a flash drive or similar device. The seminal victim is unwittingly tricked into installing the infected drive on his computer, thereby self-infecting the machine instantly. Once installed, methods of execution that work here are generally similar to the other two types. Some cases have been reported where the attacker has suborned an organization s personnel, say, one of the cleaning staff, into performing the installation intentionally. Stage 2 Download the Real APT In almost all cases, no matter the method used for infection, the first key action the initial malware performs is to download the real APT from a remote server. This real APT will be far more capable of carrying the malicious intent to fruition than will the initial infection, whose primary function is expressly to exploit known zero-day vulnerabilities. Stage 3 Spread and Call Home Once downloaded and installed, the first thing the APT will do assuming the initial malware has not already done so is disable any antivirus or similar software running on the now infected computer. Unfortunately, this minor but key task is usually not at all difficult. Then the APT will typically gather some preliminary data from its computer victim and any connected LAN, and will then contact a Command & Control (C&C) server to discover what to do next. 2
4 The C&C instructions may involve anything across a wide range of options from a simple remove yourself to a virulent command to aggressively scan for other vulnerable devices but in many cases the APT will simply be told to remain in place, quietly gathering data, and to ask periodically for further instructions. In those cases where the C&C instructs the APT to spread the infection, the APT will frequently attach a zero-day exploit to files that its victim touches or edits rather than noisily look for open/vulnerable computers. However, if the controllers are able to establish real-time two-way communication with the APT, the controllers can use clues gathered from the user s own files to identify the most promising avenues for further infection and can then instruct the APT to become more aggressive. As the APT spreads, the initial device may act as a proxy for other infected devices if it turns out that they do not afford direct external access. However, in most cases, each newly infected device will first attempt to call home directly to the C&C and will only use the proxy if, for some reason, it cannot connect to the C&C. Stage 4 Data Exfiltration A successful APT may identify terabytes of data that the attackers will want to see. In some cases, the APT will simply export these data via the same C&C servers from which they received instructions, but in many cases the bandwidth and storage capacities of the intermediate servers may be insufficient to transmit the data in a timely fashion. Moreover, the more steps involved in transferring the data, the more likely that someone will notice. Consequently, the APT is far more apt to contact a different server directly, essentially a dropbox, for the purpose of uploading all the data. The impact of a DNS firewall A DNS firewall can block, either temporarily or permanently, any of the stages noted in the description of an ideal attack. One of the key weapons in the defense arsenal is the fact that the bad guys on the Internet trust relatively few intermediate servers and networks. Consequently, these collusive servers and networks tend to get reused over and over again. Going back to the same well time and again heightens the chances that some, or all, of the server infrastructure used by the attackers can be discovered and categorized and, therefore, blocked. This infrastructure-specific insight gives a DNS firewall its strength and the ability to thwart APTs and similar malware. How the Infoblox DNS Firewall works Simply put, the Infoblox DNS Firewall does its job by checking both the domain names it is requested to resolve and the IP addresses it returns against a list of currently identified malicious domains and IP addresses. This means that while lookups to benign sites like are returned unchanged, lookups to domains that harbor malware or which are currently hosted on IP addresses known to harbor malware return an error (NXDOMAIN by default) instead of an answer. Infoblox compiles the list of current malicious locations from a variety of sources, ranging from publicly available data to proprietary data that is made available selectively. This critical list changes frequently, and Infoblox is careful to age out locations that are no longer malicious and compare all listed sites and IP addresses against the most current white-lists in order to eliminate false-positives. The scrubbed and refreshed lists are routinely transferred to the Infoblox DNS Firewall via standard DNS zone transfers, and the overall technical standard we use to implement the blocking is called Response Policy Zone. 3 WHITEPAPER How a DNS Firewall Helps in the Battle against Advanced
5 Why list-checking blocks APTs Attackers employ DNS because the ability to redirect contact from a server that has been taken down is so useful to them. Fastflux botnets and related attack mechanisms utilize DNS to keep the involved hosts in a state of constant change in order to reduce the chance that a single takedown will impact the entire net. In most cases, APT malware just uses the DNS configuration provided to the computer it is infecting to minimize its chance of being detected. Blocking or alerting access attempts to other non-standard DNS servers is a simple rule that can be placed into SEIMs, IDSes and the like, and thus the APT will try to avoid generating such alerts by using the configured DNS servers. As a result, any DNS server running the Infoblox DNS Firewall is able to see every DNS lookup the malware makes. This awareness enables the DNS firewall to determine easily which attempts to block. Here s how the Infoblox DNS Firewall detects and stops APT attacks in each of the four stages: Stage 1 Initial infection A DNS firewall can detect and block both and watering hole attempts at infection, but in cases of physical connection, say, via a flash drive, clearly the DNS firewall will not be able to block this introduction of malware directly at the moment of infection. A DNS firewall may well stop mail delivery if the mail server is set to use Sender Policy Framework (SPF) and other similar mitigation techniques. Also, in cases where the malware is initially downloaded because the victim clicked on a link or visits an infected site in some way, the chances are quite high that the Infoblox DNS Firewall will block at least one link in the chain that leads to the initial exploit. The chain is present because an attacker is rarely willing to allow his carefully crafted zero-day APT to be stored on computers outside his control due to the chance of discovery. So typically the initial browser visit is redirected one or more times before ending up at the server that drops the exploit. Even if the final dropper server is unknown, the chances are quite high that at least one of the intermediate servers will be a known malware supplier and, thus, will be on the list as an entity to which the DNS firewall should block a lookup. Without the complete chain, the initial exploit will not be downloaded. Stage 2 Download the Real APT Even in cases where the exploit is introduced directly, the download of the real APT is another chance for the DNS firewall to block the attack. As with the exploit download described above, the chances are high that a server in the download chain will be known. In fact, it s quite likely that the attackers will reuse the DNS server employed to resolve the server name, and that IP address or domain name will be blocked by the DNS firewall. Stage 3 Spread and Call Home As in Stage 2, the call home servers, the domain names used to resolve them or the name servers used to resolve their names may be known to the DNS firewall. The APT may also have a backup non-dns-based call home method, but assuming that the DNS firewall logs are examined regularly for anomalies, the initial (failed) lookup using DNS will identify the infected device and allow for remediation. This failsafe mechanism dramatically reduces the persistence and, thus, the danger and very nature of the APT. 4
6 Moreover, DNS logs can help identify not just the initial infection but also the infected devices, as each one of these is likely to make similar DNS lookups in an attempt to call home. Stage 4 Data Exfiltration The servers used in the data exfiltration stage are less likely to be shared with other attackers, which could make them difficult to detect and identify. However, they are quite likely to be hosted overseas, and often they are located in countries with lax enforcement of Internet behavior. If the DNS firewall is provided with geographic filters that block such countries, then any attempt to use DNS resolution in those countries is blocked and exfiltration is stopped. As with Stage 3, it is possible that a fallback, non-dns-based method of contacting the dropbox server will exist, but again, it is highly likely that the first contact attempt will use DNS and, thus, the failure can be logged. Although this identification is late in the process, if the DNS firewall logs are examined regularly, there is a chance that the exfiltration can be interrupted in mid-upload, even if it is not fully prevented. Summary The Infoblox DNS Firewall is not a magic bullet that will stop all APTs, however it will block many of the initial infections by blocking the initial dropper and the download of the full APT. It will also quickly identify (if not block) subsequent attempts to call home. Should that effort fail because the collusive server infrastructure is not known, the DNS Firewall will subsequently identify infected computers by their attempts to call home for instructions. While this step does not stop the infection directly, it does allow for a timely response that ensures the threat is no longer persistent, even if it is advanced. Finally the geographic blocking abilities mean that the Infoblox DNS Firewall will impede and alert any ensuing data exfiltration stages that might begin to be executed. All told, stage by stage, the Infoblox DNS Firewall can play a critical role in reducing the risk of data loss or other damage due to Advanced Persistent Threat, and is currently the best available defense against this new and highly worrisome cyber danger. 5 WHITEPAPER How a DNS Firewall Helps in the Battle against Advanced
7 CORPORATE HEADQUARTERS: (toll-free, U.S. and Canada) EMEA HEADQUARTERS: APAC HEADQUARTERS: Infoblox Inc. All rights reserved. infoblox-whitepaper-dns-firewall-battle-adv-threat-malware-april2013
A Trend Micro Research Paper Suggestions to Help Companies with the Fight Against Targeted Attacks Jim Gogolinski Forward-Looking Threat Research Team Contents Introduction...3 Targeted Attacks...4 Defining
A Websense White Paper ADVANCED PERSISTENT THREATS AND OTHER ADVANCED ATTACKS: THREAT ANALYSIS AND DEFENSE STRATEGIES FOR SMB, MID-SIZE, AND ENTERPRISE ORGANIZATIONS REV 2 ADVANCED PERSISTENT THREATS AND
New York State Office of the State Comptroller Division of Local Government and School Accountability LOCAL GOVERNMENT MANAGEMENT GUIDE Information Technology Governance Thomas P. DiNapoli State Comptroller
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
Cyber Security Planning Guide The below entities collaborated in the creation of this guide. This does not constitute or imply an endorsement by the FCC of any commercial product, service or enterprise
BELGIAN CYBER SECURITY GUIDE PROTECT YOUR INFORMATION This Guide and the accompanying documents have been produced jointly by ICC Belgium, FEB, EY, Microsoft, L-SEC, B-CCENTRE and ISACA Belgium. All texts,
SECURITY THREATS: A GUIDE FOR SMALL AND MEDIUM BUSINESSES What does an SMB need? A successful business works on the basis of revenue growth and loss prevention. Small and medium-sized businesses are particularly
CDM Software Asset Management (SWAM) Capability Department of Homeland Security Office of Cybersecurity and Communications Federal Network Resilience Table of Contents 1 PURPOSE AND SCOPE... 2 2 THREAT
G Data TechPaper #0271 Patch Management Best Practices G Data Development TechPaper_#0271_2013_05_07 Contents 1 Introduction... 2 1.1 Definition... 2 1.2 Significance... 2 1.3 Compliance... 3 2 Patch management...
10 Things Your Next Firewall Must Do Introduction Without question, your network is more complex than ever before. Your employees are accessing any application they want, using work or personal devices.
Cyber Security Planning Guide The below entities collaborated in the creation of this guide. This does not constitute or imply an endorsement by the FCC of any commercial product, service or enterprise
WHITE PAPER Network Security: A Simple Guide to Firewalls CONTENTS Why a Firewall Am I Really at Risk?................... 1 What Is a Firewall?......... 2 Types of Attack............ 2 Firewall Technologies........
95 95 9. Exercise: Large Scale Incident Handling Main Objective Targeted Audience Total Duration Time Schedule The main objective of the exercise is to teach incident handlers the key information and actions
V 1.0 November, 2010 CYBERSECURITY The protection of data and systems in networks that connect to the Internet 10 Best Practices For The Small Healthcare Environment Your Regional Extension Center Contact
Email Authentication Policy and Deployment Strategy for Financial Services Firms A PUBLICATION OF THE BITS SECURITY PROGRAM February 2013 BITS/The Financial Services Roundtable 1001 Pennsylvania Avenue
4 The Role of People in Security Even in the common affairs of life, in love, friendship, and marriage, how little security have we when we trust our happiness in the hands of others! WILLIAM HAZLITT In
G00224682 Best Practices for Mitigating Advanced Persistent Threats Published: 18 January 2012 Analyst(s): Lawrence Pingree, Neil MacDonald Many security practitioners see the term "advanced persistent
Securing Your Journey to the Cloud Trends in Targeted Attacks By Nart Villeneuve A Trend Micro White Paper I October 2011 Table of CONTENTs I. Abstract. 3 II. Introduction 3 Targeted attacks. 6 III. Trends
The dangers faced by your corporate network GFI Software www.gfi.com email@example.com Introduction This paper helps you identify key features needed to effectively deal with spam. Introduction... 2 Abstract...
Log Correlation Engine Best Practices August 14, 2012 (Revision 3) Copyright 2012. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of Tenable
IBM Global Technology Services Managed Security Services Research Report IBM Security Services 2014 Cyber Security Intelligence Index Analysis of cyber attack and incident data from IBM s worldwide security
WHITE PAPER SAFE: A Security Blueprint for Enterprise Networks Authors Sean Convery (CCIE #4232) and Bernie Trudel (CCIE #1884) are the authors of this White Paper. Sean is the lead architect for the reference
PROTECT YOUR AUTOMATIC TELLER MACHINES AGAINST LOGICAL FRAUD FROM SKIMMING TO THE LOGICAL FRAUD, THE NEW COMING ATM AND KIOSK RISK ABSTRACT 4 WHICH ARE THE RISKS ASSOCIATED TO AN ATM NETWORK 4 ATM EMERGING
ICC CYBER SECURITY GUIDE FOR BUSINESS ICC CYBER SECURITY GUIDE FOR BUSINESS Acknowledgements The ICC Cyber security guide for business was inspired by the Belgian Cyber security guide, an initiative of