When discussing cyber security, one of the most common responses I hear is: “…But I have anti-virus software and a firewall, what else could I need?”
Unfortunately, on their own these solutions, which are often advertised as being all-encompassing, are simply inadequate. In fact, they only scratch the surface of threat protection!
Cyber-attacks are now employing stealthier and more enterprising techniques to utilise existing standard system protocols, which often go unmonitored. The recently discovered DNSMessenger attack demonstrates why traditional cybersecurity tools are insufficient. Cisco’s threat intelligence organisation, Talos, analysed a malware sample and discovered some interesting behaviour.
Most IT professionals will understand the role that the Domain Naming Service (DNS) plays in today’s internet. User-friendly domain names are entered and DNS resolves these to IP addresses to allow the underlying protocols to establish connections. Malware has been making good use of DNS for many years, a prime example is Domain Generation Algorithms (DGA) providing an automated means of cycling domain names used for Command and Control (C2) channels. We have relied on detecting these C2 channels to both identify the existence of the malware and mitigate it.
But DNSMessenger is different. It uses features within the DNS protocol to establish its C2 channel. DNS TXT records permit the use of arbitrary text in queries and responses, and it is the use of these records that allows DNSMessenger to establish a bi-directional C2 channel which would go undetected by many organisations.
The attack consists of multiple stages, utilising various PowerShell scripts, and avoids being written to the file system of the infected host to evade detection. Interestingly, at the time of analysis, the observed anti-virus detection ratio was low for the sample file with only six of the 54 referenced engines classifying the hash as malicious – none of the big name commercial cybersecurity and anti-virus engines identified the threat.
DNSMessenger demonstrates why organisations must consider all communication paths as potential C2 channels, as well as why the ‘next generation’ of robust security solutions are required. A multi-layered approach to cyber defences should be a necessity rather than a luxury. Utilising tools such as DNS analysis, deep packet inspection, netflow and machine learning provides the best chance of resisting infiltration. If you’re interested in finding out more about DNSMessenger, read the full Cisco Talos analysis.
Equally important, but often overlooked, is an essential relationship with your third-party trusted advisors, and the importance of making positive investments in your employees. This will ensure that employees can maximise the benefit of deployed solutions and that you have a tested process to respond to an incident should one occur.
If you would like to discuss how we can help ensure your business is protected with robust, ‘next generation’ cyber security measures, please get in touch firstname.lastname@example.org