Australian companies waking to DNS threats as exploit cycle gives way to continuous attacks

The end of a momentary dip in DNS-related threats suggests that cybercriminals' exploitation of weaknesses at the Internet's core is becoming ongoing rather than cyclical as in the past, according to a DNS-security firm that saw such threats rebound to near record highs in the fourth quarter of 2015.

The Infoblox DNS Threat Index tracks the volume of activity around the creation and hosting of malicious domains – a leading indicator of activity by cybercriminals exploit kits that build infection vectors and command-and-control structures using arsenals of temporary and malicious domains – and grew to be 49 percent higher at the end of 2015 compared with the level a year earlier.

The index has trended higher since its inception and is no longer following distinct cycles of growth and retraction, which the Infoblox analysis said reflected cybercriminals' previous habit of quietly exploiting DNS-based weaknesses to build out massive command-and-control networks to support planned malware attacks.

Growing use of exploit kits had changed that dynamic, with Angler continuing to prove popular and the “unexpected resurgence and rapid rise of” the RIG exploit kit suggesting that even older kits are enjoying long shelf lives.

While the relatively tight control over DNS in the United States would theoretically have pushed malicious DNS creation to relatively lightly-administered regions of the world, that country hosted 72 percent of newly observed malicious domains during the quarter.

That finding, Infoblox president and CEO Jesper Andersen told CSO Australia, reflects the increasingly complex nature of DNS-based attacks, which he said are being planned and executed over longer periods of time by malicious actors who “are getting increasingly patient”.

“Although the vast majority of the attacks are originating in the US, the threat actors may well reside in some other country,” he said, noting that many such threat actors spend considerable amounts of time compromising DNS systems and seeding malicious domains in anticipation of a more complex exploitation down the track.

“These guys planning their infrastructure capabilities, which means that there are a lot of people compromised, and can expect that value will be extracted from their networks some time in the future,” Andersen explained. “They're now thinking 'I worked so hard to compromise this network that I am going to take my sweet time to find the most valuable way to exploit this company'.”

DNS attacks have led to big problems for online sites such as the New York Times and Huffington Post in the past, as attackers commandeer the records used to route all Internet traffic. More recently, 'typosquatting' has been used to feed malware to the systems of users who mistype .com domain names – going instead to malicious domains registered in the .om space (normally assigned to Oman).

Although Australia's improving broadband has increasingly made it a source of DDoS attacks and malware attacks as well as a victim, it still accounts for less than 1 percent of malicious infrastructure, according to the Infoblox figures.

The heavy geographical skew towards the United States – and Germany, which was second-place with 20 percent of originating DNS traffic – may reflect the relative size of the Internet infrastructure in those countries, which may provide better cover for the activities of malicious actors and enable them to “hide in plain sight”, he added.

A growing profile around DNS-related threats has compounded the workload for security specialists who are racing to keep up with changing online threats. By tying DNS monitoring in with other parts of the security infrastructure – Infoblox has built in a range of integrations with other security platforms – the company has been working to broaden the data and tool sets with which security executives are making key decisions.

“One of the biggest problems that we have in the security space is that all of these different vendor solutions don't integrate very nicely with each other,” Andersen said, pointing to emergent standards such as STIX and TAXII as increasingly important vectors for threat-intelligence sharing.

The value of integrating these threats into overall security practice is reflected in the growing interest in Infoblox's solutions both worldwide and in Australia, where the company established a presence only last September and is growing with an eye to opening a formal local office here.

Companies in Australia, where Infoblox previously operated entirely through distributors – it continues to maintain a strong network of partners – have proven to be “very, very mature” in integrating the DNS threat story into the overall security defence, ANZ managing director Bruce Bennie said.

“DNS is still an anomaly” in many companies' security defences, explained Bennie, who noted that the company's local headcount had already doubled and would continue to grow as Infoblox filled out its local professional-services capabilities. “A lot of people are realising that DNS is an even greater attack method than traditional HTTP was.”

Read more: The IT-security divide is limiting full cyber attack chain analysis, expert warns

High Consequence Cyber Crime: The Crime of the Century

Organised criminals : Harness the power of analytics to detect breaches early and minimize their exposure.

Download NOW

Participate in this short survey on IT security strategies across the Australian market and go in the draw to WIN a 360Fly camera vailued at $689.

Start survey NOW

Join the CSO newsletter!

Error: Please check your email address.

Tags malware attackRIGcybercriminalsinfobloxDNS threatsJesper AndersenCSO Australia

More about AndersenCSOInfoblox

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place