Nearly half of enterprise networks show evidence of DNS tunnelling

Infoblox has published results of the Infoblox Security Assessment Report for the second quarter of 2016, which finds that 40 percent—nearly half—of files tested by Infoblox show evidence of DNS tunnelling, a significant security threat that can indicate active malware or ongoing data exfiltration within an organisation’s network.

  • 8 years ago Posted in
Infoblox, an industry leader in securing Domain Name System (DNS) infrastructure, offers free security assessments to customers and prospective customers, identifying outbound DNS queries inside an organisation’s network that are attempting to reach known malicious or suspicious Internet locations (hostname). External threat data from these evaluations is anonymised and aggregated to produce the Infoblox Security Assessment Report.
 
In the second quarter of 2016, 559 files capturing DNS traffic were uploaded to Infoblox for assessment, coming from 248 customers across a wide range of industries and geographies. Infoblox found 66 percent of the files showed evidence of suspicious DNS activity.
 
One indicator that stands out in the second quarter report is the prevalence of DNS tunnelling. Cybercriminals know that DNS is a well-established and trusted protocol, and have figured out that many organisations do not examine their DNS traffic for malicious activity.
 
DNS tunnelling enables these cybercriminals to insert malware or pass stolen information into DNS queries, creating a covert communication channel that bypasses most firewalls. While there are quasi-legitimate uses of DNS tunnelling, many instances of tunnelling are malicious. There are also several off-the-shelf tunnelling toolkits readily available on the Internet, so hackers don’t always need technical sophistication to mount DNS tunnelling attacks. At the same time, DNS tunnelling is often part of very sophisticated attacks, including those sponsored or directly managed by nation states. For example, the recently uncovered Project Sauron—a particularly advanced threat that is considered likely to have been sponsored by a government—uses DNS tunnelling for data exfiltration. 
 
“In the physical world, burglars will go to the back door when you’ve reinforced and locked the front door. When you then secure the back door, they’ll climb in through a window,” said Rod Rasmussen, vice president of cybersecurity at Infoblox. “Cybersecurity is much the same. The widespread evidence of DNS tunnelling uncovered by the Infoblox Security Assessment Report for the second quarter of 2016 shows cybercriminals at all levels are fully aware of the opportunity. Organisations can’t be fully secure unless they have tools in place to discover and prevent DNS tunnelling.”
 
Among the specific security threats uncovered by Infoblox during the second quarter, ranked by percentage, are:
 
·         Protocol anomalies – 48%
·         DNS tunnelling – 40%
·         Botnets – 35%
·         Amplification and reflection traffic – 17%
·         Distributed denial of service (DDoS) traffic – 14%
·         Ransomware – 13%
 
“While these threats are serious, DNS can also be a powerful security enforcement point within the network,’ said Rasmussen. “When suspicious DNS activity is detected, network administrators and security teams can use this information to quickly identify and remediate infected devices—and can use DNS firewalling as well to prevent malware inside the network from communicating with command-and-control servers.”
Research shows ‘game needs to be changed,’ with security innovation years behind that of the...
73% of organizations lack automated patch management, and 62% experienced incidents involving...
Quest Software has signed a definitive agreement with Clearlake Capital Group, L.P. (together with...
Dell EMC PowerProtect Cyber Recovery for AWS provides a fast, easy-to-deploy public cloud vault to...
Aqua’s cloud native application protection platform becomes the only solution that protects cloud...
54% of organisations working on a security transformation project now or in the next 12 months.
Node4 has released its Mid-Market IT Priorities Report 2021. The independent report reveals that...
Zscaler Zero Trust exchange cloud-based architecture enables superior green security capabilities...