What Is DNS Tunneling and How Do I Stop It?
It spread silently, invisibly, and without respect to borders. It moved from Android™ to Android, as it accessed each device’s contact list to increase the scale of the cyberattack.
Governments around the world recently broke up the infrastructure behind this campaign, which they appropriately dubbed “FluBot.”
Before they stopped it, security researchers revealed a key part of this attack’s success: It used DNS tunneling to hide its command-and-control (C2) infrastructure.
Let’s look at what DNS tunneling attacks are, the challenges around detection, and options for mitigating this risk within your organization.
What Is DNS Tunneling?
The Domain Name System, or DNS, is a protocol that translates easy-to-understand domain names or URLs into IP addresses that computers use to route traffic to a given destination. DNS tunneling attacks exploit and abuse DNS protocol, enabling malware from infected computers to implement communication channels that establish C2 mechanisms between a compromised host and the attacker's server. This exploitation looks like legitimate traffic, but it can hide data exfiltration used in ransomware attacks.
How Common Are DNS Tunneling Attacks?
DNS tunneling attacks have been around for a long time; however, we've seen a dramatic increase since the COVID-19 pandemic. IDC's 2021 Global DNS Threat Report stated that 87% of survey respondents — including network managers, IT security officers, decision-makers, and influencers — have experienced some form of DNS attack in the last 12 months, an 8% increase from last year's report. This underscores the need to bolster DNS security as organizations increase reliance on remote workers and bring-your-own-device programs.
Why Is DNS Tunneling Difficult to Detect?
DNS tunneling attacks are silent threats that can become part of a serious incident, with one of the highest mean-time-to-detection rates among various cyberattack methods. It often takes several months for SOC (security operation center) teams to become aware of data exfiltration caused by DNS tunneling attacks, because attackers can blend into expected network traffic to avoid notice.
The supply-chain attack that targeted customers of SolarWinds was first disclosed in December 2020, but analysis showed earliest modification of the software occurred in October of the previous year. This is an indicator of how long it can take to detect attacks that utilize DNS tunneling. These attacks are sophisticated and require equally sophisticated approaches for early detection and warning.
4 Strategies to Mitigate DNS Tunneling Risk
Here are some useful strategies to reduce your organization’s risk of becoming a victim of DNS tunneling:
1. Embrace Zero Trust Principles
Zero trust security approaches combat DNS tunneling attacks through a default “deny” posture that can significantly mitigate this risk, because it treats all users inside and outside the network as potentially hostile.
Typically, DNS requests are allowed to move through a firewall. Once a DNS connection is made via a DNS resolver, data exfiltration is possible. However, with zero trust, organizations can apply access control list (ACL) policy as an enforcement mechanism. At this point we may uncover suspicious behavior and indicators of compromise (IoCs). Zero-day issues can also be stopped, blocked and triaged. This includes insider threats attempting data exfiltration.
2. Establish Granular Access Control
A bedrock of network security is access control — the inseparable twin of zero trust. Together they deliver an identity-and-context-based logical-access boundary. This reduces the attack surface and bolsters DNS security.
3. Embrace AI/ML
Gartner predicts that by 2035, 90% of detection, and 60% of response to cyberattacks, will be handled by AI. “The volume and speed of attacks will grow by multiple orders of magnitude. AI (programs) will classify those attacks and only raise an alert when a predefined threshold is reached, allowing the cybersecurity team to focus on the attacks that matter,” said Gartner Distinguished VP Analyst Andrew Walls. AI/ML also reduces friction and improves user experience, by speeding detection and automating response with less manual intervention required.
4. Evaluate Security Posture Continuously
Ascertain security conditions for just-in-time and “just-enough” access, with the ability to dynamically adjust access control policies whenever there is a change in cybersecurity posture. Modern cyberattacks constantly evolve, so organizations must as well, in alignment with the organization’s risk appetite. Zero trust also creates the opportunity to better align NetOps, SecOps, and ITOps, since implementation is a cross-functional effort.
Zero Trust Network Access and Advanced Threats
If you are planning for or implementing a zero trust approach, you should consider a cloud-native Zero Trust Network Access (ZTNA) solution that enables the detection of DNS tunneling and other modern threats by using advanced machine learning techniques to identify risk in the network.
How does it detect DNS tunneling? It resides in the data path where it can monitor and analyze traffic to detect anomalous behavior. It also maintains a comprehensive list of suspicious domains that threat actors use and monitors DNS activity to these untrusted destinations.
Behind the scenes, ZTNA solutions with predictive AI perform statistical analysis and machine-learning-based tunneling detection on the information sent through a C2 channel to spot outliers and warn the administrators via DNS tunneling alerts. These alerts provide necessary event details, including the name servers used in the attack for each DNS request.
Below are examples from a DNS tunneling attack detected by CylanceGATEWAY™ through Intrusion Detection Service (IDS) rules and machine learning algorithms. As a result, it provides extensive coverage to detect adversary tools, including AnchorDNS, Chimera, BONDUPDATER, Denis, and others.
For an improved security posture, BlackBerry recommends that alongside access control policies, organizations should consider implementing content filtering, and risk-based rules to stay ahead of threat actors. For example, the CylanceGATEWAY Access Control List (ACL) framework offers a single integrated workflow that network administrators can use to define the action (allow/disallow), access (destination), and association (user/risk).
CylanceGATEWAY is AI-powered zero trust network access. Its prevention-first approach also offers granular network access controls and application segmentation, limiting lateral movement and protecting your network by hiding critical assets from unauthorized users. The platform also supports organizational and personal privacy and does not decrypt data-in-transit. Instead, it uses metadata such as originating IP, destination IP, and network protocol to notify SOC admins of suspicious events.
Learn more about CylanceGATEWAY and how to reduce the risk of DNS tunneling attacks at your organization.