Lightboard Series: DNS Security Service - Protecting against malware using DNS

 

TRANSCRIPT

 

Ashwin Dewan:

Hello my name is Ashwin Dewan. I'm a product manager at Palo Alto Networks and today we're going to talk about DNS, the unique security challenges that it poses and our solution to those challenges, the Palo Alto Network's DNS security service.

 

Ashwin Dewan:

So your first question may be what is DNS and how does it work? You can think of DNS as the phone book for the internet. Let's say a host wants to connect to a website like xyz.com. It'll send a DNS request usually to an internal DNS server. This internal DNS server will forward this request to a public DNS server via a next generation firewall. This public DNS server will respond with a machine usable IP address that the host will use to connect. Something like 1.2.3.4. Once the host receives this response, it'll reach out back through your next generation firewall to connect to the resource and the user can go about their work.

 

Ashwin Dewan:

So as you can see, DNS is necessary to the function of the internet and normal browsing. This generates challenges from a security perspective. DNS can't be blocked and it's really hard to manually monitor.

 

Ashwin Dewan:

So there are a couple of different types of DNS threats. There's both the known and the unknown. Our Unit 42 researchers tell us that 80% of malware that they see uses DNS to establish a command and control channel. For the known we can use a wealth of data to get this, but for the unknown, there's a couple evasive techniques that attackers will use that require more predictive approach. These techniques, one of them is called domain generation algorithms or DGA, and this is when attackers will generate tens of thousands of domains each day and they only have to register one of them to establish the command and control channel.

 

Ashwin Dewan:

Another technique they use is something called DNS tunneling. DNS tunneling is using the DNS channel itself for communication. So what they'll do is set up a name server for a domain that they control and use that to accept and send any requests and responses from the public DNS infrastructure. If you have a host on your network that becomes infected, they can exfiltrate data by breaking it up into chunks and sending those out as DNS requests, which they will then reassemble on their side.

 

Ashwin Dewan:

Our solution to these challenges is the DNS security service cloud. As the firewall sees any DNS requests transited, it will send in parallel a lookup to this cloud. In this cloud we have data for both known and unknown threats. For the known threats we have data from our Unit 42 security researchers from something called passive DNS, from our PNDB URL filtering service, from the Cyber Threat Alliance which is an industry wide consortium for sharing of security information and also for all the millions of samples that run through wildfire each day. We take a look at the network traffic from those sessions and identify malicious domains and put all that data into the DNS security cloud.

 

Ashwin Dewan:

Now for the unknown threats for domain generation algorithms and tunneling, we have to do predictive analytics. So we take machine learning algorithms and train them on this wealth of known good high fidelity DNS data that we have and make a decision within milliseconds to identify domain generation algorithms and DNS tunneling for domains that we've never seen before. For domain generation algorithms we'll look at features like the age of a domain and the entropy or randomness of the domain name. For DNS tunneling we'll look at both the age of the domain and the traffic patterns that we see for this domain across the entire Palo Alto Network's customer base.

 

Ashwin Dewan:

The scale of the cloud is really required to run these algorithms at the speed necessary to block threats in real time. Once the DNS security cloud has come to a verdict decision, it will send that verdict back to the next generation firewall, at which point the next generation firewall will block and drop any further DNS requests to that malicious domain and drop and sinkhole any pending responses. This sinkhole IP is sent back to the host. If the host attempts to make a connection to the sinkhole IP, which it thinks is the attacker's malicious resource, the next generation firewall, since it's inline, can pick up on this traffic and automatically isolate the host from portions in your network as you can define in firewall security policy. At this point, your security team can remediate and take action to clean up the host. The Palo Alto Network's DNS security service is just one part of our security operating platform, which covers threats outside of DNS. To learn more, visit us at paloaltonetworks.com.