Advanced Persistent Threat Mitigation - DNS Security

Advanced Persistent Threat Mitigation - DNS Security

Laptops, mobile phones, and the ever-increasing number of tablets, are placing a strain on traditional IT network defences. Highly portable devices, which are often not protected with any anti-virus or anti-malware software, are being connected to a multitude of open (insecure) café/home/airport/hotel networks. As a result, they are frequently being compromised. Once compromised, they are brought back into the office, where they can spread malware across the corporate network without traditional network defence mechanisms offering any protection (or alerts).

One common trait of malware is that they almost all “call home” to contact their botnet controllers and share their “payload” (discovered data/passwords, etc); firewall defences, which are generally only configured to stop inbound attacks, are powerless to stop them. The damage that unconstrained malware can do is vast. It can impact not only network stability and performance, but can also cause reputational damage through disclosure of, or blocking access to (crypto-locking), corporate data.

Like all other network applications, malware uses DNS for IP name resolution. This makes internal DNS filtering an ideal way to apply outbound network filtering to combat the spread of malware.

DNS Firewalling is a technique that leverages the DNS lookup mechanism to intercept, validate, and if needed, rewrite/spoof a DNS response to ensure that client requests are only returned for “safe” sites.

Commercial DNS firewall systems are equipped with a live data feed of “known bad” sites. These feeds form a core part of the DNS forwarding engine, and when a DNS lookup request is received for a known bad site, the request is either ignored, or redirected to a notification page. This request filtering, combined with an outbound firewall block for any direct DNS lookups (stopping malware from using Google’s DNS, 8.8.8.8 and 8.8.4.4), can ensure that all internal DNS name resolution requests are pre-validated.

ETP have partnered with Infoblox, and now offer their DNS firewall solution to the market. The Infoblox solution has been determined by the ETP team to offer the most comprehensive Advanced Persistent Threat mitigation/protection, through an advanced threat feed provided directly from the InfoBlox Security response team. This team collate feeds of known bad sites, and through information sharing, produce a single feed that contains the intelligence from over 20 research partners.

The DNS Firewall is a software appliance (deployed either as a VM or Docker Container), which takes over the role of internal DNS forwarder. Any existing DNS service (e.g. Active Directory) would be reconfigured to forward all non-authoritative requests to the Infoblox appliances (meaning that Infoblox can be introduced and removed with very minimal impact).

Due to the ease of introducing (and removing) the InfoBlox DNS Firewall solution, ETP offer this through a “proof of value” engagement. A proof of value engagement is not a demo or a POC; it is specifically designed to allow organisations to validate the effectiveness of a solution when running in production, with real workloads. Due to the nature of production environments, ETP perform standard implementation and change control diligence when working with the customer team to implement the technology.