In the public imagination few things are as closely associated with cyber security as malware. This is because there have been so many high profile instances of malware causing widespread chaos – such as the 2017 WannaCry attack which affected more than 200,000 computers in 150 countries. The various types of malware are vital for the black hats carrying out all manner of cyber attacks including data loss, sabotage, extortion and more.
Malware is becoming increasingly challenging to combat. There are more variants than ever (nearly 70 million by some counts) and they are growing at a staggering rate. One relatively new type of malware, coin mining, increased 8,500% in just one year. This is significant because of the malware inflicts on businesses; according to Accenture, malware attacks are the most damaging type of cyber crime, costing businesses an average of $2.4m per year.
Getting on top of the malware challenge is therefore a key challenge for enterprise security teams. The good news is that it is a challenge that is relatively easy to meet. This is because virtually all malware relies on the Domain Name System (DNS) layer to function. As a result, security teams know exactly where to look to find, understand and shut down malware attacks – both well-known instances and zero-day attacks.
Throughout the internet the DNS layer translates IP addresses into web addresses and vice-versa. The process of surfing a website involves a series of requests between different DNS servers, which continues until a response can be returned. Malware authors have looked to exploit this process in a number of ways:
- To launch phishing attacks: Criminals infect a local DNS server with malware so that when people type a company name into a web browser it sends them to a bogus site. This could be a simple ad page or something more sinister, such as a phishing site designed to steal people’s bank details
- To protect malware: Black hats have started using DNS lookups to avoid advanced network security controls such as sandboxes. Malware will try to resolve an unregistered domain name to test whether it’s in a sandboxed environment
- To go unnoticed: Cyber criminals are turning to fileless attacks to bypass firewalls. These attacks embed malicious code in scripts or load it into memory without writing to disk. Both techniques can bypass anti-virus software
- To bypass blacklists: Malware authors frequently register new domain names to keep ahead of blacklists and subvert enterprise security mechanisms
- To conceal command-and-control communications: Malware on an infected device must communicate with the black hat’s own server. These communications can be hidden through Domain Generating Algorithms (DGAs): programmes that simultaneously create short-term domain names to conceal the true command-and-control server
These techniques are often successful when firms haven’t applied rigorous security policies at the DNS layer. IT admins have needed to ensure the DNS query process runs as smoothly as possible, so traffic has often been allowed through without being checked.
It’s no longer necessary to do this. Malware can be tackled by analysing DNS traffic in real time to identify traffic associated with malware and its related DNS communications, without affecting the smooth running of DNS processes. Analysis can identify requests to command-and-control domains, requests to DGAs and sudden bursts of traffic to new-born domains (all sure signs that a device or devices in your network are infected).
Malware is currently highly damaging to enterprises, but it need not be. By applying advanced analytics to your DNS layer, you can spot and shut down known malware threats and many unknown ones too, before they cause harm.
If you would like to read more about how DNS security protects against malware and its associated security threats please download our new white paper.