WHITE PAPER. Using DNS RPZ to Protect Against Web Threats SPON. Published June 2015 SPONSORED BY. An Osterman Research White Paper.

Transcription

1 WHITE PAPER Using DNS RPZ to Protect An Osterman Research White Paper Published June 2015 SPONSORED BY SPON sponsored by sponsored by Osterman Research, Inc. P.O. Box 1058 Black Diamond, Washington USA Tel: Fax: twitter.com/mosterman

2 EXECUTIVE SUMMARY The Internet represents a tool of enormous benefit and, at the same time, tremendous risk in the form of its exploitation by cybercriminals and more traditional organized crime: theft of bank accounts, stealing sensitive and confidential information, destroying data, and otherwise wreaking havoc on Internet users. delivered via the Internet is the primary vector for distributing malware that can create these problems. Criminal organizations will create a new domains and URL s by the tens of thousands each day to host malicious content. They then direct users to visit the site through spam or phishing messages that contain a link to the site or via malicious advertising placed on otherwise legitimate Web pages, or by search engine poisoning. Most Internet service providers do not have a reliable method of determining whether or not a domain contains malicious content. Since they lack information about the reputation of various domains & URL s they cannot make intelligent and informed decisions about resolving them. If they had better information, they could prevent their users from visiting most malicious sites - protecting them and their organizations from a variety of serious consequences. ABOUT THIS WHITE PAPER This white paper discusses the concept of the Domain Name System - Response Policy Zone (DNS RPZ), a framework that allows providers, Internet users and others to share information about malicious domains and use this to prevent users from accessing sites that are dangerous. Conceptually similar to the domain & IP block lists that have been widely used for delivery for more than a decade, the DNS RPZ allows providers to understand the reputation of domains before resolving them, rather than deal with the consequences of malware delivered by these bad domains. In short, the purpose of a DNS RPZ is to prevent Internet users from getting to sites they should not access. While organizations cannot completely prevent users from acting unwisely when using the Internet, the RPZ concept is one of the best and simplest ways to prevent malicious infections by bad websites. This paper was sponsored by Spamhaus and MX Tools information about the sponsors is provided at the end of the paper. THE INTERNET IS A DANGEROUS PLACE THE INTERNET OFFERS MAJOR BENEFITS It is almost too obvious to say that the Internet offers a wide range of important benefits to companies, employees, consumers and governments. The ubiquity of the Internet and its focus on (mostly) standards-based protocols has created a platform for fundamental changes in the way that commerce, information sharing, communication and content delivery takes place worldwide..but IT IS QUITE DANGEROUS Among the variety of Internet-based threats that organizations face are the following: Malvertising Malicious Internet advertising that is intended to distribute malware through bogus advertising impressions on Web sites. Watering holes A type of social engineering attack in which cybercriminals will identify key Web sites that are frequented by individuals or groups they would like to infiltrate, 2015 Osterman Research, Inc. 1

3 such as mobile app developers. These targeted Web sites are then infected with malware, the goal of which is to infect members of the affinity group. Compromised search engine queries Valid search engine queries that are hijacked by cybercriminals to distribute malware. This form of attack relies on poisoning search queries, resulting in the display of malware-laden sites during Web searches. Ransomware A type of attack in which victims files are encrypted and will be decrypted only after payment of a ransom. One of the more common recent examples is the CryptoLocker malware: victims who choose not to pay the ransom within a short period of time will have their files remain encrypted permanently. Phishing Comparatively unfocused messages that are designed to elicit sensitive information from users, such as login credentials, credit card information, Social Security numbers and other valuable data. Phishing s purport to be from trustworthy sources like banks, credit card companies, shipping companies and other sources with which potential victims already have established relationships. Spearphishing A more targeted form of phishing attack that is generally directed at a small group of potential victims, such as senior individuals within a company. Spearphishing s are generally quite focused, reflecting the fact that a cybercriminal has studied his or her target and has crafted a message that is designed to have a high degree of believability and a high open rate. Employee errors Employees will sometimes inadvertently install malware or compromised code on their computers. This can occur when they download a codec, install ActiveX controls, install various applications that are intended to address some perceived need, or when they respond to scareware/fake anti-virus (rogue AV or fake AV) software. WHY THE PROBLEM? MOST DOMAINS ARE MALICIOUS There are more than 150 million domains in use: as of late March 2015 there were million active domains in use i, up from million in late March 2012 ii, an increase of 18.4 million domains, or 13% in a very saturated market. This represents a net increase of 12,000 domains per day, although roughly an order of magnitude more domains are created and taken down each day as cybercriminals exploit the security problems in the domain registrar industry. Domains can be used for a number of malicious purposes: A common technique is to register a domain similar to a valid one and then direct users to it through phishing s in hopes of users not noticing the subtle difference between the valid domain and the bogus one. For example, a cybercriminal might register pierl.com as a substitute for pier1.com, or micr0soft.com for microsoft.com. The Anti-Phishing Working Group found that one in 10 phishing attacks use this technique iii. Another technique is to use seemingly valid domains like googlev2010.com or mcafeevirusremover.com that, in fact, are malicious domains that are designed to spread malware. These domains might be typed in mistakenly by users seeking various types of content, but more commonly show up in search engine queries, phishing s or social media posts Osterman Research, Inc. 2

4 Domain names that consist of random letters and numbers can also be created to direct users to malicious sites. Complicating the problem are several other issues, such as short URLs that are often used to direct users to malicious sites and that users will not recognize as obviously malicious, the explosion of new top-level domains (.biz,.guru, etc.) that can be exploited by cybercriminals to deliver malicious content, and the growing use of smartphones and tablets that will often not display the URL of a Web site or the source of Internet content in order to conserve screen real estate. Underscoring the severity of the threat from maliciously created domains, McAfee found that in each quarter of 2014 there were more than 15 million new suspect URLs discovered, but in the third quarter there were in excess of 30 million iv. The fundamental threat problem for the Internet today is that the vast majority of new domains created on any given day are malicious. Hackers, organized crime gangs and other cybercriminals will create new domains in hopes of attracting visitors who might mistakenly type in the wrong URL or are more commonly directed to a URL through Internet queries, phishing s or malvertising. As of late 2014, at least 100,000 WordPress sites were infected with malware v. THE COST OF CYBERCRIME The total cost of cybercrime to the global economy is difficult to estimate, but the Center for Strategic and International Studies estimated the total annual cost to be as high as $575 billion vi. A key subset of this staggering total is phishing, which RSA estimated at $5.9 billion spread across nearly 450,000 individual attacks in 2013 vii. HOW TO ADDRESS THE PROBLEM One of the best defenses against the problem of malicious domains is user education: getting users never to click on malicious links in phishing s, in poisoned Web searches, and so forth. However, this is clearly not a realistic solution to the problem because users are gullible or will make mistakes and click on links that lead to malicious content, thereby infecting their computer or an entire corporate network with malware. While ongoing training of end users can go a long way toward eliminating these consequences, the primary line of defense against malicious domain use should be a system that will prevent a user who clicks on a link from being connected to the source of the malicious content. In this scenario, the domains in the links presented to the user will be analyzed for malicious content and managed appropriately: users who click on, or directly enter valid URL s will be presented with the content they seek, while clicking on a malicious link will result in redirection to an informational page indicating that the URL is malicious, and thus not accessible from the organization s network as a precautionary measure against malware or other threats. BEFORE RPZ BLOCKING DOMAINS WAS IMPRACTICAL The fundamental problem with the Internet in the context of proliferating bogus domains being registered so easily and then used for criminal purposes is that there has been no practical way to block traffic to these malicious domains. While it is, of course, technically possible to block access to a domain, the lack of information about domains has made this practically impossible, except in the most obvious of cases. How does a provider know which domains are safe to resolve and which are not? While there are millions of widely used and long-standing domains in use that are obviously valid, there are millions more that may or not may not be. For example, how would an Internet service provider know that it is safe to resolve the valid domain acutech-consulting.com, but that they should block the bogus domain 2015 Osterman Research, Inc. 3

5 trilane-consulting.com? Moreover, how will a provider know when a formerly valid domain has now been compromised and is now serving up malicious content? WHAT IS A RESPONSE POLICY ZONE? What providers need, therefore, is a reliable and timely source of information about domains. A DNS Response Policy Zone (RPZ) data feed is such a service, one that provides information about domains so that providers can make informed decisions about if and how they should resolve domains that are known to be bogus or serving up malicious content. The concept behind a DNS RPZ is conceptually similar to the real-time block lists that have been used for delivery for more than a decade. Using these block lists, service providers can obtain real time information about servers and then make a decision about whether or not to accept from servers that have been used to send spam or infected content. In the same way, a DNS RPZ publishes information about domains for the purpose of letting providers make a decision about resolving domains based on their likelihood of being unsafe for users or applications to access. In short, DNS RPZ provides the same type of capabilities for DNS resolvers that Real Time Block Lists (RBLs) provide for servers. An RPZ is designed to rewrite queries or response sets when domains are accessed. RPZ is a technology that leverages data feeds, and so it is the quality of the data feeds that make or break their use. Therefore, the key to effective use of the RPZ is the quality and timeliness of the data feed. The time required to detect a potentially malicious domain and update the information about it can range from 90 seconds to 24 hours. The slower the update cycle, the less useful that RPZ data feed becomes. The Spamhaus Domain Block List (DBL), which was launched in 2010, currently contains information on close to 300,000 suspicious or outright malicious domains and is updated every two minutes. It is important to note that the Spamhaus DBL is an extraordinarily dynamic block list: tens of thousands of domains are added and removed from the DBL approximately every 24 hours as cybercriminals create and take down domains used in their activities. Because cybercriminals generally do not pay for domains registering and disabling them within six hours or so by using less than highly reputable domain registrars they are able to maintain a continual supply of new domains at low cost. Keeping up with this cybercriminal technique is what the Spamhaus DBL has been designed to do. USING AN RPZ BIND viii (originally Berkeley Internet Name Daemon) represents a leading implementation of the DNS protocols currently in use and includes a DNS server, a DNS resolver library and various tools for testing servers. The DNS RPZ can be obtained via a DNS zone transfer using recent versions of BIND 9, the most recent implementation of BIND. The local BIND recursive nameserver will respond to DNS RPZ queries and then take appropriate action based on the response. The RPZ concept is enjoying wide support it is employed by Nomimum, Infoblox, Bluecat Networks and others, which account for well over 50% of the DNS resolver market, a key element of the larger DDI (DNS, DHCP and IP Address Management) market. Plus, BIND represents about two-thirds of the market for DNS resolvers when considering both open-source and commercial solutions. In short, support for RPZ is now widespread and growing. The leading provider of reputation data for DNS RPZ technology is Spamhaus, which is focused on providing information about domains. Spamhaus goal is to maintain an up-to-date source of information about the reputation of domains whose links are provided in spam messages, phishing attacks, and similarly damaging types of content Osterman Research, Inc. 4

6 A DNS RPZ CASE STUDY In late 2012, the Technical University of Denmark (DTU) implemented a trial of RPZ for which Spamhaus provided block list data ix. The goal of the DTU was to prevent users from accessing malicious domains, to increase client system security as part of a user education campaign, and to enhance the overall security of the DTU s infrastructure by raising awareness of malicious domains among IT staff. During a four-week period, just under 5,000 attempts to contact malicious domains were prevented by the use of RPZ and 75 users computers were defended from malware infiltration. During the trial, only one report of inappropriate filtering was discovered, but two infected systems were identified and there was no loss of user productivity from not being able to access malicious domains. SUMMARY The Internet has evolved into a key delivery mechanism for malware, including viruses, worms, keystroke loggers and other dangerous content. As shown in Figure 1, malware delivery through the Internet and have been steadily increasing over time. Figure 1 Malware Infiltrations for the Period 2007 to 2015 Source: Osterman Research, Inc. The DNS RPZ provides a framework for providing information about malicious domains used to deliver these threats. Providers that use it can make better decisions about whether or not to resolve particular domain names, and can thereby substantially reduce the amount of malware delivered to users Osterman Research, Inc. 5

7 ABOUT SPAMHAUS The Spamhaus Project is an international non-profit organization whose mission is to provide dependable real-time anti-spam protection and to work with Law Enforcement Agencies to identify and pursue spammers worldwide. Founded in 1998, Spamhaus is based in Geneva, Switzerland and London, UK and is run by a dedicated team of 25 investigators and forensics specialists located in 10 countries. Spamhaus has one of the best detection systems available for RPZ: their typical time from detection of a malicious domain to updating the RPZ is about 90 seconds, while some of their competitors can take up to about 24 hours. Moreover, as a managed service, Spamhaus receives an enormous amount of feedback from its entire user base, and so this information can be used to block domains in a way that an in-house managed service cannot. ABOUT MX TOOLS Since 2006, MXTools has been a global leader in providing IP reputation and antiabuse solutions to network operators across a wide range of markets. We service over 1500 clients on all 5 continents, assisting them to keep their networks secure, their users safe, and their operating costs low. As a Spamhaus Technologies Platinum Partner, we provide sales and technical support across all IP & Domain Data Feeds for Internet Service Providers, WebHosters and Mail/Network Security Vendors (Cloud & OEM). MXTools is based in Montreal, QC. please visit our web site at Osterman Research, Inc. 6

8 2015 Osterman Research, Inc. All rights reserved. No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior written authorization of Osterman Research, Inc. Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the reader s compliance with any laws (including but not limited to any act, statute, regulation, rule, directive, administrative order, executive order, etc. (collectively, Laws )) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document. THIS DOCUMENT IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL. REFERENCES i ii iii iv v vi vii viii ix Osterman Research, Inc. 7