The end of a momentary dip in DNS-related threats suggests that cybercriminals' exploitation of weaknesses at the Internet's core is becoming ongoing rather than cyclical as in the past, according to a DNS-security firm that saw such threats rebound to near record highs in the fourth quarter of 2015.
The Infoblox DNS Threat Index tracks the volume of activity around the creation and hosting of malicious domains – a leading indicator of activity by cybercriminals exploit kits that build infection vectors and command-and-control structures using arsenals of temporary and malicious domains – and grew to be 49 percent higher at the end of 2015 compared with the level a year earlier.
The index has trended higher since its inception and is no longer following distinct cycles of growth and retraction, which the Infoblox analysis said reflected cybercriminals' previous habit of quietly exploiting DNS-based weaknesses to build out massive command-and-control networks to support planned malware attacks.
Growing use of exploit kits had changed that dynamic, with Angler continuing to prove popular and the “unexpected resurgence and rapid rise of” the RIG exploit kit suggesting that even older kits are enjoying long shelf lives.
While the relatively tight control over DNS in the United States would theoretically have pushed malicious DNS creation to relatively lightly-administered regions of the world, that country hosted 72 percent of newly observed malicious domains during the quarter.
That finding, Infoblox president and CEO Jesper Andersen told CSO Australia, reflects the increasingly complex nature of DNS-based attacks, which he said are being planned and executed over longer periods of time by malicious actors who “are getting increasingly patient”.
“Although the vast majority of the attacks are originating in the US, the threat actors may well reside in some other country,” he said, noting that many such threat actors spend considerable amounts of time compromising DNS systems and seeding malicious domains in anticipation of a more complex exploitation down the track.
“These guys planning their infrastructure capabilities, which means that there are a lot of people compromised, and can expect that value will be extracted from their networks some time in the future,” Andersen explained. “They're now thinking 'I worked so hard to compromise this network that I am going to take my sweet time to find the most valuable way to exploit this company'.”
DNS attacks have led to big problems for online sites such as the New York Times and Huffington Post in the past, as attackers commandeer the records used to route all Internet traffic. More recently, 'typosquatting' has been used to feed malware to the systems of users who mistype .com domain names – going instead to malicious domains registered in the .om space (normally assigned to Oman).
Although Australia's improving broadband has increasingly made it a source of DDoS attacks and malware attacks as well as a victim, it still accounts for less than 1 percent of malicious infrastructure, according to the Infoblox figures.
The heavy geographical skew towards the United States – and Germany, which was second-place with 20 percent of originating DNS traffic – may reflect the relative size of the Internet infrastructure in those countries, which may provide better cover for the activities of malicious actors and enable them to “hide in plain sight”, he added.
A growing profile around DNS-related threats has compounded the workload for security specialists who are racing to keep up with changing online threats. By tying DNS monitoring in with other parts of the security infrastructure – Infoblox has built in a range of integrations with other security platforms – the company has been working to broaden the data and tool sets with which security executives are making key decisions.
“One of the biggest problems that we have in the security space is that all of these different vendor solutions don't integrate very nicely with each other,” Andersen said, pointing to emergent standards such as STIX and TAXII as increasingly important vectors for threat-intelligence sharing.
The value of integrating these threats into overall security practice is reflected in the growing interest in Infoblox's solutions both worldwide and in Australia, where the company established a presence only last September and is growing with an eye to opening a formal local office here.
Companies in Australia, where Infoblox previously operated entirely through distributors – it continues to maintain a strong network of partners – have proven to be “very, very mature” in integrating the DNS threat story into the overall security defence, ANZ managing director Bruce Bennie said.
“DNS is still an anomaly” in many companies' security defences, explained Bennie, who noted that the company's local headcount had already doubled and would continue to grow as Infoblox filled out its local professional-services capabilities. “A lot of people are realising that DNS is an even greater attack method than traditional HTTP was.”
Organised criminals : Harness the power of analytics to detect breaches early and minimize their exposure.
Participate in this short survey on IT security strategies across the Australian market and go in the draw to WIN a 360Fly camera vailued at $689.