At its core, DNS is what makes the internet work. Without it, everyone would need to remember the IP address of every website they wanted to visit, and content delivery networks would work because their anycast approach to IP would prevent dynamic association when a request is made to the IP address. Put simply, DNS makes it easy and affordable for websites to exist without those sites needing to own their own IP address. However, this easy and affordable approach is also what makes DNS a potential security vulnerability for organizations. 

Using DNS to hide malicious intent

DNS provides the ability to resolve a domain name to an IP address. Any device on a network uses DNS to route traffic to the correct destination. This resolution from domain to IP is what makes connections work, but malicious actors use myriad domains to obfuscate their intentions and they often rely on publicly accessible IP addresses from hosting providers like AWS, Google, and others which makes catching the activity ever more difficult. 

Malicious actors often use domain generation algorithms to create obscure domain names that are never seen in normal network transactions. But not all malware uses such obscure domains to communicate with and deploy malware on infected machines. In these cases, how can organizations detect otherwise benign DNS queries?

Understanding malicious activity through fingerprinting

While malicious activity is almost always encrypted, the fingerprint malware leaves is still visible. Malware has a specific set of instructions written in its code that indicates how and what the malware will do over a generalized period of time. By looking at traffic across an entire network, DNS queries can be correlated to traffic fingerprints, which provides a signatureless malware detection approach to help identify compromised machines.

How does this work? By looking at how network traffic is moving on the network across various ports and protocols and measuring how much traffic has moved across the network, supervised machine learning models give a clear picture of when various types of malicious activity are detected. Specifically, the Plixer platform’s machine-learning engine can detect four significant malware categories: banking trojan, remote access trojan, exploit kit, and coin miner. The blacklisted IPs and domains are updated hourly, and machine learning models are updated automatically as we add new threats to the database. This means that as the system discovers the fingerprint for new malware, it can automatically alert IT to the infected host.

When alerts aren’t enough

But sometimes getting an alert isn’t enough. What if you want to block malicious DNS requests automatically? As part of the machine learning engine, Advanced DNS Monitoring enables organizations to dynamically block requests to blacklisted domains. Additionally, for organizations that also have third-party data in their TAXII server, supplemental data can be ingested along with Plixer’s ML data to further block additionally unwanted traffic as defined by the organization. This gives organizations full control of how they block—and report on—traffic from known malicious sites.

DNS filtering for comprehensive network security

By leveraging machine learning, DNS queries can be monitored, and malicious queries can be blocked automatically. With machine learning fingerprinting, those DNS queries can be used to monitor hosts for additional malicious activity without needing packet capture to inspect the full payload. This gives organizations a comprehensive security approach. Harnessing the power of the network gives you full observability to catch crippling attacks before they can take hold.

To learn more about Plixer’s deep network observability platform, request a demo today

Justin

Justin Jett is Director of Audit and Compliance at Plixer with roles ranging from system administration of web services to technical product marketing for Plixer’s incident response system, Scrutinizer. Jett, a graduate of the University of Maine at Farmington, is an avid learner of all things security, with a particular interest in TLS and DNS attacks.

Related