SolarWinds Hack and the Case of DNS Security
It was big news that some of the top government agencies and companies in the world were victims of the SolarWinds attack, however, it's no surprise to those of us in the security space urging enterprises to modernize their protection against growing threats. As I understand it, the breaches happened after malicious code was inserted into a software patch that was downloaded by the companies and agencies. The installation of the patch executed malicious code, called SUNBURST, which created an entry point for other malicious codes (TEARDROP/RAINDROP). These additional codes were used to allow attackers to move laterally within the network and exfiltrate sensitive customer information to a public command and control server.
This supply chain attack reinforces the need to modernize the enterprise security infrastructure. While larger businesses may have the resources to recover from an attack of this size, the same can't be said for smaller businesses. If a business like SolarWinds, with products widely adopted in the industry, can be affected by a breach in which harmful code is inserted within their pipeline and updating process, the same attack would be very detrimental to smaller businesses. Many administrative resources would need to be spent identifying and isolating both the infected machines and the assets containing sensitive information.
One recurring thought I had as I researched the attack was how important it is to secure the Domain Name System (DNS) layer of the network. Modern enterprise security strategies promote better segmentation of the network, including isolating business-critical assets from the rest of the network. It's important to remember that business-critical assets are shared infrastructure, and as such, become the target of attackers. Once these assets are compromised, the attackers potentially have access to the entire network. However, the attackers need to exfiltrate the sensitive data. Hence, a modern enterprise security strategy must include securing DNS traffic. The SolarWinds attack underscores this. While the method of malware delivery appeared ingenious to me, the method of data theft appeared mundane. DNS tunneling, where data is transmitted by appending it to recursive DNS queries, was chosen as the medium to steal customer data. Queries were sent to DNS command and control servers within the same region of breached enterprise networks to evade detection. The servers, in turn, passed commands or other information back to the implanted malware.
DNS is essential to business functions, and yet, it is an often overlooked layer when it comes to securing the enterprise network. Every aspect of internet activity needs the DNS layer to function across every device: from embedded chips within electronic appliances that get information about the weather to servers running within a data center (DC) or infrastructure as a service (IaaS) environment that get software updates for applications. Securing DNS is therefore essential and offers a proactive way to prevent backdoor delivery of malware, such as the SUNBURST, into the network and also data theft via DNS tunneling or domain generation algorithms (DGA).
Securing DNS traffic can be done in a number of ways. First, ensure that all DNS queries to designated recursive servers are allowed on firewalls. Some malware are known to alter device DNS configuration to force queries to a different DNS server. Also, ensure DNS traffic goes only to designated ports. Another way is to implement services that ensure recursive DNS queries for malicious websites are blocked. Internet-bound traffic involves recursive DNS activity, and having a DNS provider ensure every recursive DNS query sent from every device on the network is for innocuous content is vital. Whether the query is from user devices to servers and Internet of Things (IoT) devices deployed in data center or IaaS environments, it should first be checked against a threat database to identify malware/phishing domains or more sophisticated DNS threat activity by using domain generation algorithm (DGA) or DNS tunneling.
A resourceful and committed attacker will always find a way to get in, but adequate security measures will ensure that the attacker will experience difficulty moving laterally across the network and, more importantly, have difficulty exfiltrating sensitive information, especially from shared infrastructure elements, out of the network. Securing DNS traffic should be part of your network security measures.
For more information on how to secure your network, visit www.akamai.com/etp.