Neutralize the DGA Threat with UltraThreat Feeds
Domain Generation Algorithms (DGAs) arrived more than 10 years ago with the Conficker worm. By generating tens of thousands of domains – each a potential link to a command and control (C2) server, and too many to block – DGAs instantly made malware far more dangerous.
Security professionals quickly came up with a solution to counter the threat: deconstructing the malware.
But that requires having the malware in hand, along with the expertise to unpack the embedded code and reverse engineer the algorithm. And it also requires a lot of time – time the malware can use to exfiltrate data, penetrate further into your network and infect more hosts.
So, the industry came up with another solution: monitoring and analyzing network DNS exhaust for known DGA domains. Except that requires knowing the DGA domains – and since the bad guys are always creating new malware with new DGAs, it’s a little like locking the barn door after the horse is already out.
We needed a better solution: simple to use, immediately applicable and current.
Say hello to Neustar’s Malicious DGA feeds. These are components of our UltraThreat Feeds, fitting within the Mitre Att&ck framework for DGAs. They leverage DNS data to provide IT security teams with the solution they need to counter the threat of DGAs – even newly active DGAs.
For example, the well-known Chinese cyber threat group APT41 uses at least 46 different families of malware, and the DGAs they use to provide fallback communication to C2 servers are changed monthly.
As part of the work to create the Malicious DGA feeds, Neustar analyzes behavioral patterns of domain requests in DNS exhaust, such as the frequency of requests and which domains resolved, to quickly identify even new DGAs, like those regularly introduced by APT41. Security teams can then block access by those domains, and investigate to determine if their assets have been affected.
Behind the solution. DNS data has long been recognized as a potentially valuable source of insights into evolving threats. But the sheer size of the datasets involved has limited its value. Recent advances in data processing are now overcoming those limitations, and DNS insights are rapidly becoming an important element in comprehensive cyber defense programs.
The Malicious DGA feeds are an example of this revolution in data analysis. The data for these feeds is drawn from the DNS exhaust of our globally distributed network of authoritative and recursive DNS service sites, which process well over 100 billion lookups every day.
This vast trove of DNS data is analyzed using machine learning powered by artificial intelligence to identify lookups of known DGA domains, as well as patterns in the traffic indicative of new DGAs at work, like those of APT41. The resulting insights are distilled into two powerful feeds that are updated hourly to enable security professionals to keep pace with the malware:
- Domains that are active in DNS traffic and also have DNS responses. This feed also includes the count of IPs making the request as a measure of activity, a correlation score indicating the likelihood the domain is attributed to malware, and the IP address where the DGA is hosted to help security analysts gauge the seriousness of the threat.
- Domains that are active in DNS traffic and do not resolve – that is, the thousands of nonexistent (NX) domains that DGAs generate in their effort to reach an active C2 link.
Importantly, the Malicious DGA feeds provide the core characteristics that security teams need in a practical, effective solution:
- Current: The Malicious DGA feeds are updated every hour, with data drawn in near real-time from around the globe. Given that new DGAs are always being introduced, that timeliness is absolutely critical to the data’s value.
- Immediately useful: DGA domains can be immediately blocked. In addition, the domains you receive in the feed can be compared with your DNS firewall exhaust or plugged into your SIEM to identify any traffic to or from them affecting your network. If you get a hit on an active domain that resolves, you can identify the malware and stop activity in its tracks. If you get a hit on an NX domain, you’ll know the malware is resident and can stop it before it reaches its C2 server.
- Simple: The data is provided in a JSON file that can be delivered into an Azure or Amazon Web Services S3 bucket, or tailored to your environment and platform.
This is the focused, actionable data you need to counter the threat of DGAs. Moreover, the Malicious DGA feeds are just one of the components of the valuable threat feeds Neustar offers IT security teams to help them protect their brand, defend their domain and mitigate fraud.
If you’d like to learn more about how you can incorporate these timely, DNS-derived insights into your security framework, contact us or give us a call at 1-855-898-0036 in the US or +44 1784 448444 in the UK.