Cherif Sleiman, Infoblox Preventing: DNS-Based Data Exfiltration
March 2016 by Cherif Sleiman, General Manager, Middle East at Infoblox
Theft of sensitive or regulated data and intellectual property is one of the most serious risks to an enterprise. DNS is frequently used as a pathway for data exfiltration, because it is not inspected by common security products such as firewalls, intrusion detection systems (IDSs), and proxies.
Several high-profile data breaches have been in the news recently. We read that millions of customer records are stolen, emails hacked, and sensitive information leaked. Most enterprises have multiple defense mechanisms and security technologies in place, such as next-generation firewalls, intrusion detection systems (IDSs), and intrusion-prevention systems (IPSs). Yet somehow malicious actors find a way to appropriate data. So what types of data are being stolen? They vary and may include:
• Personally identifiable information (PII) such as Emirates ID numbers in UAE for example
• Regulated data related to Payment Card Industry Data Security Standard (PCI DDS)
• Intellectual property that gives an organization a competitive advantage
• Other sensitive information such as credit card numbers, company financials, payroll information, and emails
Motivations vary from hacktivism and espionage to financial wrongdoing, where the data can be easily sold for a neat profit in the underground market. When sensitive information is stolen, it causes financial and legal woes, not to mention the huge negative impact to brand. According to a Ponemon Institute study in 2015, the average consolidated cost of a data breach is US$3.8 million, which includes investigative and forensic efforts and resolution and consequences of customer defection. This is an average—recent breaches have cost victims a lot more.
Hackers can use multiple pathways to steal data, but the one that is often unknowingly left open is DNS, or the Domain Name System. DNS is increasingly being used for data exfiltration, either by malware-infected devices or by rogue employees. The nature of the DNS protocol, which was invented more than 30 years ago, is such that it is trusted, yet vulnerable to hackers and malicious insiders. According to Dan Kaminsky, the a well-known DNS security researcher, DNS can be thought of as a globally deployed routing and caching overlay network that connects both the public and private Internet, which raises serious questions: Is it sufficiently secure? Is it vulnerable to data breaches? The answer is that DNS can be abused in all sorts of unconventional ways that make it the perfect back door for hackers seeking to steal sensitive data. According to a recent DNS security survey of businesses based in North America and Europe, 46 percent of respondents experienced DNS exfiltration and 45 percent experienced DNS tunneling. You can safely assume that the Middle East will be no different.
DNS tunneling is the tunneling of IP protocol traffic through Port 53—which is often not even inspected by firewalls, even next-generation firewalls—most likely for purposes of data exfiltration. Malicious insiders either establish a DNS tunnel from within the network, then encrypt and embed chunks of data in DNS queries. Data is decrypted at the other end and put back together to get the valuable information. All sorts of things can be tunneled (SSH or HTTP) over DNS, encrypted, and compressed—much to the dismay of network administrators and security staff. DNS tunneling has been around for a long time. There are several popular tunneling toolkits such as Iodine, which is often considered the gold standard; OzymanDNS; SplitBrain; DNS2TCP; TCP-over-DNS; and others. There are also newer contenders that allow for tunneling at a much faster pace and offer lots of features. Even some commercial services have popped up offering VPN service over DNS, thus allowing you to bypass many Wi-Fi security controls. Most of these tools have specific signatures that can be used for detection and mitigation.
DNS is not only used for data leakage, but also to move malicious code into a network. This infiltration is easier than you think. Hackers can prepare a binary, encode it, and transport it past firewalls and content filters via DNS into an organization’s network. Hackers send and receive data via DNS—effectively converting it into a covert transport protocol.
Don’t Become the Next Data Breach Victim
DNS is the perfect enforcement point to improve your organization’s security posture. It is close to endpoints, ubiquitous, and in the path of DNS-based exfiltration. While DLP technology solutions protect against data leakage via email, web, FTP, and other vectors, most don’t have visibility into DNS-based exfiltration. To maximize your chances of fighting back against these data theft attempts, complement traditional data loss prevention protection with a DNS- based solution.