DNS tunnelling, a security threat which can indicate either active malware, or data exfiltration, is fairly widespread today, according to a new report by network control company Infoblox. Infoblox analysed 559 files capturing DNS traffic, uploaded from 248 customers. Two thirds (66 per cent) of files have shown evidence of suspicious DNS activity.
Almost half (40 per cent) show evidence of DNS tunnelling. “In the physical world, burglars will go to the back door when you’ve reinforced and locked the front door. When you then secure the back door, they’ll climb in through a window,” said Rod Rasmussen, vice president of cybersecurity at Infoblox.
“Cybersecurity is much the same. The widespread evidence of DNS tunnelling uncovered by the Infoblox Security Assessment Report for the second quarter of 2016 shows cybercriminals at all levels are fully aware of the opportunity. Organisations can’t be fully secure unless they have tools in place to discover and prevent DNS tunnelling.”
According to the company’s report, cyber-criminals know how well-established and trusted protocol DNS really is, which is why they use it. Many organisations, Infoblox says, do not look at DNS traffic for malicious activity. Besides DNS tunnelling, there are a couple of other security threats uncovered, including protocol anomalies (48 per cent), botnets (35 per cent), amplification and reflection traffic (17 per cent), distributed denial of service – DDoS attacks (14 per cent), and ransomware (13 per cent).
“While these threats are serious, DNS can also be a powerful security enforcement point within the network,’ said Rasmussen.
“When suspicious DNS activity is detected, network administrators and security teams can use this information to quickly identify and remediate infected devices—and can use DNS firewalling as well to prevent malware inside the network from communicating with command-and-control servers.” The full report can be found on this link.