July 14th, 2020

Detect the Threat of DNS Tunneling and Stop Data Exfiltration

DNS tunneling may not be at the top of the list of cyberthreats that keep you awake at night. It’s been around for 20 years, and rarely generates headlines in the trade press.

But it’s still a genuine threat, with a range of potentially serious consequences.

So, if you could get a simple, timely alert about potential DNS tunnels into your domain, allowing you to investigate and counter them, wouldn’t you incorporate it in your security strategy?

Of course you would, and here it is: Neustar’s DNS Tunnel Threat Feed.

This important security tool is one of two feeds among our UltraThreat Feeds that helps IT professionals identify and detect active threats. (The second, the Malicious DGAs feed, is discussed in this post.)

The DNS Tunnel feed leverages an analysis of global DNS data to identify potential tunneling threats, and fits within the Mitre Att&ck framework. Importantly, the data is updated every ten minutes, allowing your team to investigate and neutralize potential threats in near real-time.

The threat is real. In DNS tunneling attempts, data is encoded in DNS queries and responses. Since DNS requests move freely in and out of your network, a DNS tunnel allows hackers to bypass your firewalls and other security measures, giving them an open channel for:

  • Data exfiltration
  • Access to your internal network
  • Malware command and control

DNS attacks are on the upswing, in part because DNS tunneling is among the most “accessible” threat vectors. Easy-to-use tunneling toolkits are widely available on the Internet – along with how-to videos on YouTube –so even unsophisticated hackers can get what they need to burrow into an otherwise secure domain.

But it’s not just amateurs using the technique. The OilRig threat group associated with Iran, for example, has made widespread use of DNS tunneling for command and control communications with infected hosts, compromising 97 organizations in 27 countries and exfiltrating many thousands of user names and passwords.

This is not a threat that should be overlooked. Unfortunately, techniques to uncover and identify DNS tunneling attempts require analysis of both DNS traffic and live domains associated with bad actors, making them difficult and time consuming to execute.

Until now.

At last, a simple solution. Security professionals have long recognized the potential for DNS data to provide timely and important threat insights, but the sheer amount of it has limited its value. Recent advances in data processing, however, have finally enabled DNS data to yield actionable information for effective use in cyber defense.

Neustar’s DNS Tunnel Threat Feed is a result of this revolution in DNS data analysis. As a leading provider of DNS services for more than 20 years, we operate a globally distributed network of authoritative and recursive DNS service sites that process well over 100 billion lookups every day.

To generate the DNS Tunnel Threat Feed, we analyze the enormous volume of DNS exhaust from our network using machine learning powered by artificial intelligence. This analysis identifies suspicious queries and responses that suggest possible DNS tunneling. Information about these queries, including a time stamp and the second level domain associated with each, is incorporated into the feed, which is:

  • Updated every 10 minutes for current, actionable insights. If your domain is identified in the feed, your security team can immediately investigate and neutralize the threat, preventing significant damage or data loss.
  • Easy to incorporate into your security posture via your SIEM. The data is provided in a JSON file that can be picked up from an Amazon Web Services S3 bucket, delivered into an Azure or Amazon Web Services S3 bucket, or specifically tailored to your environment and platform.

The DNS Tunnel Threat Feed is the simple, effective tool you need to finally and effectively neutralize this threat.

It’s just one of the valuable threat feeds Neustar offers IT security teams to help them protect their brand, defend their domain and mitigate fraud. If you’d like to learn more about how you can incorporate these timely, DNS-derived insights into your security framework, contact us or give us a call at 1-855-898-0036 in the US or +44 1784 448444 in the UK.

Let's Connect

Learn How Your Company Can Benefit from the Power of Trusted Connections.

Contact Us   Give us a call 1-855-898-0036