DNS Analytics - Tracing & Defeating Cyberattacks
By Christopher Day
Commonly known as the “phone book of the Internet,” the Domain Name System (DNS) is a protocol that translates domain names into IP addresses to reach any service or application online – from email to Web browsing, peer-to-peer and literally thousands more. Beats typing complex alphanumerics every time you want to cruise the web, right?
Just one problem, and it’s big one. DNS has been around since the 1980s, before the term “Internet” was even coined, thus at a time when little or no thought was given to security. Four decades later, DNS remains one of few app protocols granted automatic permission to cross network perimeters.
This “digital passport” to nearly any-and-all data that resides on or transits the Web makes DNS a favorite channel for hackers via common attack methods such as DNS hijacking, spoofing, covert tunneling and others. Worse still, malicious cyber tools, attacks and their perpetrators actually rely on DNS to ensure their own resiliency, and to facilitate the power of “command and control” over the systems they attack, penetrate and come to own.
DNS hacks are ubiquitous and very costly to victims. According to the IDC 2020 Global DNS Report, organizations across all industries on average faced more than 9.5 DNS cyberattacks each that year, at an average cost of $924,000 per attack.
The Solution: DNS Analytics
Smart companies are taking the right steps to identify and stop this menace, using advanced DNS analytics with machine learning/artificial intelligence (ML/AI) and predictive analytics.
Traditional DNS Analytics comprises the various methods of conducting surveillance of DNS traffic within a network. These analytics determine who is querying for what information, how often and from what location – essentially what domains are checked and the numbers of queries over various time scales.
ML/AI enhances this work by an order of magnitude to perform Large Scale DNS Analytics. By applying ML/AI and predictive analytics, it is now possible to unveil vital intelligence on the source and nature of cyberattacks that leverage DNS vulnerability, including:
- Adversaries creating infrastructure
- Compromised enterprises (via monitoring of DNS queries)
- Assistance in attributing those responsible for the hack
- Finding additional victims
- Revealing Dark Nets via algorithms that detect threat actor campaign
Like any sort of investigation, successful DNS Analytics hinges on the collection of evidence. ManTech’s Hyperscale DNS Analytics convert this process into a machine-operated investigation, accelerating detailed analysis of large data volumes to activity that might otherwise escape detection:
- Enumeration of any real-time blacklists
- Signs of malware beacons leaving a network
- IP addresses (A-records) associated with a domain name in the past
- When a domain was active
- If the IP address for a domain name changed
- The IP addresses used for a domain name during the course of an incident
- Any names that pointed to a particular IP address, or domains that have been hosted by a known-malicious IP address
- Domain names pointing to a particular network
- All nameservers for a domain globally
- Domain names hosted by a particular web server
- Domains that have been pointed to a sinkhole IP address
- Domains that have used (or moved to) an IP address recently
Shutting Down Hackers that Leverage DNS
ML/AI-driven DNS Analytics ferrets out anomalous activity or behavior and tracks it to the source. Predictive analytics, like a Monte Carlo simulation, considers all the possible futures then pinpoints the most likely outcome so that hostile cyber events may be stopped in their tracks. Cases in point: successful identification of adversary activity and infrastructure based in the PRC; and in another instance, network enumeration to locate all DNS servers from Europe to the Middle East penetrated by entities in Russia.
The DNS protocol is surprisingly rich and amenable to ML-driven analytics that advance the mission of securing IT and networks. ManTech next generation DNS Analytics empowers users to identify, classify and stop malicious URLs via prediction, not just blacklists. Best of all, we can use algorithms to help illuminate adversary infrastructure early – catching malicious actors in the planning stage.