Question: How does a threat actor utilize DNS communications in malware attacks?
Dave Mitchell, CTO, Hyas: The idea that you can protect yourself from all malware is unrealistic, especially considering malware is an umbrella term that does not refer to any specific exploit, vector, goal, or methodology. Because the range of cyber threats is so wide and varied, there is no magic bullet that will repel every attack. So it’s really only a matter of time before your network environment is compromised, forcing you to make some very hard decisions.
For instance, in the medical field, successful cyber attacks don’t just affect an organization’s ability to function; they also have major legal and reputational repercussions. Because of these circumstances, medical industry victims end up paying out ransomware demands at a higher rate than any other industry. If they were able to detect indicators of problems before they become full-blown attacks, healthcare organizations could save an average of $10.1 million per incident averted.
Most security solutions address a specific subsection of malware and/or infiltration vectors, but none of them can stop all threats at the gate. Even if they could, sometimes the gate is bypassed altogether. As we saw with the Log4J exploit and the recent compromise of the popular Ctx Python package, “trusted” resource libraries hosted on places like GitHub can be compromised by outside entities and used to deliver payloads of malware to thousands of endpoints without immediately triggering a red flag.
Not all threats lurk solely in cyberspace. Returning to the healthcare industry as an example highlights another attack vector that can get around all of your perimeter security — physical access. Most hospitals, physician’s offices, pharmacies, and other medical facilities rely on networked terminals and devices located (or accidently left) in places where they can be accessed by patients, visitors, or other unauthorized users. In situations like these, it doesn’t matter how well-defended your network is from outside attacks because the bad actor can simply insert a USB stick or use a logged-in device to access malware, compromising the network from within.
This may seem like an unwinnable situation, but thankfully there is one feature that ties the overwhelming majority of malware together — a shared Achilles’ heel called the Domain Name System (DNS). More than 91% of malware utilizes DNS communication at some point during its attack lifecycle, making DNS an invaluable choke point in the fight against cyber threats.
When a piece of malware first finds its way onto your network, it tries to avoid detection. It uses this time as a reconnaissance phase during which it attempts to spread to more devices in the network environment, locate critical resources, and compromise backup storage.
It is also during this time that the malware needs to communicate back to the hackers’ command and control (C2) infrastructure to receive instructions and report the information it has uncovered about the network. Like any traffic on the Internet, to communicate back out into the world, it needs to make a request to a domain name server. By employing a protective DNS solution, network administrators can monitor DNS traffic for indicators of malicious activity and then take action by blocking, quarantining, or otherwise disrupting it.
Unfortunately, with new threats being developed all the time and the ever-present risk of a physically initiated attack, companies must prepare for the inevitable successful breach of their network. However, once malware has gotten inside your network, it is almost certain to employ DNS communication at some point. A protective DNS solution can detect these abnormal requests and block them entirely, rendering the malware inert and letting you quickly begin the process of cleaning your systems and shoring up your defenses for next time.