Threat Trends: DNS Security, Part 2

Part 2: Industry trends

In our Threat Trends blog series, we attempt to provide insight into the prevalent trends on the threat landscape. Our goal in giving you the latest info on these trends is that you’ll be better prepared to allocate security resources to where they’re needed most.

Knowing the larger trends can help in this pursuit, particularly when it comes to the most common threat types. This is what we covered in part one of this Threat Trends release on DNS Security, using data from Cisco Umbrella, our cloud-native security service.

However, different industries sometimes have different levels of exposure to certain threat types. For example, those in the financial services industry may see more activity around information stealers; others in manufacturing may be more likely to encounter ransomware.

This is what we’re going to cover in part two. We’ll focus on specific industries, looking at two things: the top threat categories they face, and the categories that they’re more likely to encounter when compared to other industries. In this way, you’ll be better armed knowing which threats you’re more likely to encounter within your industry.

As in part one, we’ll be looking at data covering the calendar year of 2020. This time we’ll be comparing yearly totals of DNS traffic to malicious sites, by industry. While we do this, we’ll occasionally drill down to the monthly level, or look at endpoint data, to highlight items of interest. All of this gives us a window into the categories of threats that generate the most traffic for various organizations.

So, without further ado, and in no particular order, here are the industry trends:

Technology

The vast majority of DNS traffic in the Technology sector—the sector involving the development and/or distribution of technological goods and services—can be attributed to two categories: cryptomining and phishing. These two categories alone accounted for 70 percent of the traffic for organizations in this sector.

Unsurprisingly, the Technology sector saw far more cryptomining traffic than any other industry. While much of this activity can be attributed to bad actors, it’s possible that more knowledge surrounding cryptocurrencies could lead workers in this field to attempt to install miners on their company computers, triggering DNS blocks in Umbrella due to company policy violations. In comparison, Financial Services—an industry where workers are more likely aware of the risks of running cryptomining software on company devices—had one of the lowest levels.

Interestingly, the Technology sector saw the second-highest level of ransomware-related traffic, primarily driven by attacks involving Sodinobiki and Ryuk. However, the incredibly high proportion of cryptomining pushed the overall percentage down, coming in a six percent. trojan activity was also high, given that Emotet and Trickbot were used to distribute Ryuk, as previously discussed in part one.

Financial Services

Phishing resulted in the highest levels of malicious DNS traffic in the Financial Services sector. In fact, this sector saw 60 percent more phishing than the next-closest sector, Higher Education. It’s possible that this sector is targeted by attackers through phishing more often than others simply because of its proximity to many bad actor’s end goal: money.

Supporting this idea is the fact that the Financial Services sector also saw more information-stealing threats than any other industry. While not known to generate high volumes of DNS traffic (only 2 percent), Financial Services saw five times as much traffic in this category than any other industry.

Financial Services also saw the second-highest amount of traffic in a number of categories, such as trojans, botnets, and remote access trojans (RATs). The breadth of malicious traffic seen in this industry could speak to how attractive a target it is to bad actors.

Healthcare

The Healthcare industry saw more trojans than any other sector, as well as higher numbers of droppers. Most of the trojan-based activity can be attributed to Emotet, as healthcare organizations were hit hard by the threat in 2020. Close to seven out of every ten trojans seen within the healthcare sector was Emotet. Throw Emotet’s close cousin Trickbot into the mix, you’re looking at 83 percent of all trojan-related traffic.

It likely comes as no surprise that ransomware also made its presence known within the Healthcare sector. Ryuk was particularly active, no doubt associated with the high activity surrounding Emotet. The Healthcare sector was also narrowly edged out of the second-highest place for ransomware, coming in only 1.5 percent lower in overall DNS traffic.

Manufacturing

Like the Technology sector, cryptomining activity was also high in the Manufacturing industry. It saw roughly half the activity seen in the Technology sector, but interestingly, there were almost three times as many endpoints in the Manufacturing sector involved in cryptomining. In short, more machines resulting in less DNS activity leads us to believe these endpoints were less powerful when compared to those in the Technology sector. It’s possible that the machines compromised are involved in the manufacturing process itself, even IoT related. In these cases, cryptomining would likely have been slower, but could still impact production speeds.

It turns out that the Manufacturing sector is also the most likely to be impacted by ransomware. This industry saw almost as much ransomware-related traffic as the next two closest industries combined (Technology and Healthcare). This appears to be a clear indication the industry is regularly targeted by bad actors, likely through big game hunting and the potential payout bad actors could receive.

Higher Education

The COVID-19 pandemic closed campuses worldwide in 2020. As classes moved remote, many malicious activities that would have been blocked on campus would have occurred on student’s home networks. This resulted in drop-offs in malicious activity for this sector in many categories from March onwards, and much lower overall numbers in 2020 than in previous years.

That’s not to say that activity dropped off a cliff, as certain activities that would require access to campus resources did register their share of DNS activity. For instance, phishing activity managed to put Higher Education in second place when comparing across industries. Cryptomining outfits also frequently target the Higher Education sector in an attempt to siphon off computing resources, or student-discounted cloud computing credits, to run their miners.

Government

Of the industries that we’ve examined, the Government sector appears to be the most evenly distributed across the top categories highlighted in part one of this series (Phishing, Cryptomining, Ransomware, and Trojans). The Government sector even saw a fairly even distribution for each of these categories when looking at them month-on-month.

The sole exception to this trend was cryptomining, which saw low numbers in the first three quarters of the year, only to jump in October as cryptocurrency values reached a high for the year and continued to climb. However, the month-on-month numbers didn’t fluctuate through the last quarter of the year, remaining at largely the same elevated level each month.

Preventing successful attacks

As mentioned earlier, the data used to show these trends comes from Cisco Umbrella, our cloud delivered security service that includes DNS security, secure web gateway, firewall, and cloud access security broker (CASB) functionality, and threat intelligence. The malicious activity shown here was stopped in its tracks by Umbrella.

Umbrella combines multiple security functions into one solution, so you can extend protection to devices, remote users, and distributed locations anywhere. Umbrella is the easiest way to effectively protect your users everywhere in minutes.

Picking your battles

There is no doubt that examining trends on threat landscape can reap benefits. Knowing where attacks are occurring can make it easier to decide where to dedicate your resources to defend against them. Cryptomining and phishing are commonly seen these days, as are trojans like Emotet and Trickbot, used to deploy ransomware such as Ryuk.

Of course, different sectors are impacted by different threats in different ways, so it helps to understand the specific trends surrounding the sector you find yourself within. For instance, it would be wise for someone in the Financial Services sector to keep a close eye on phishing trends, while someone in the Manufacturing sector may want to take a closer look at ransomware.

Ultimately designing a defensive strategy combining the larger trends and those of your specific industry, can bring you a long way towards protecting your assets.

Methodology

We’ve followed the same overall methodology in this blog that we did in part one, with a few changes in representation. Pie charts are based off DNS query traffic to malicious sites. Any category comprising more than one percent of traffic for a particular industry is represented in the charts. All categories below one percent are combined into the ‘All Others’ group in the charts.

Source: cisco.com

Continue reading

Improving DNS Security While Preserving Resiliency

The IETF’s Discovery of Designated Resolvers

The Domain Name System (DNS) has played a key role in the Internet’s success. It was designed to be scalable and resilient to handle enormous growth. The DNS has also proven to be a strong control point used to identify and remediate threats as Cisco Umbrella (previously Cisco OpenDNS) has repeatedly demonstrated. As the industry seeks to strengthen privacy, it must find methods to do so that retain resilience or risk large outages. Used correctly, an emerging technology known as Discovery of Designated Resolvers (DDR) can facilitate secure discovery of resolvers. It’s a significant security feature and is the topic of this blog.

Figure 1: DNS traffic growth over four years (Source: Akamai)

Introduction

DNS has scaled well to meet the needs of over four billion people since its inception in the 1980s. In that time, there has never been an Internet-wide failure of the service. That is thanks to the millions of caching resolvers and large numbers of root servers spread around the world, along with redundancy at every other level. This architecture is no accident; it represents a solid design combined with decades of experience by people globally handling the Internet’s evolutionary growth in both size and capability.

One of the most important capabilities of the DNS is its use as a control point. For example, if bad actors attempt to use the DNS as a command-and-control (C&C) channel between them and their bots, the good guys use the DNS to identify and block those C&C channels. In the case of the recent attack on Solar Winds, this meant blocking queries to [*]avsvmcloud[.]com. A key value of Umbrella and similar services is that they are backed by expertise and ongoing operations to identify such threats. With IoT devices using mechanisms such as Manufacturer Usage Descriptions, the DNS can restrict communications from devices to a known set of destinations. Another use of the DNS is as a security control point to block or redirect answers for known malware sites.

What Has Changed?

For the past few years, the industry has been working on standardizing the privacy of DNS queries. This is a capability that OpenDNS has offered for quite some time through DNSCrypt. DNS over HTTP (DoH), which OpenDNS also supports, encrypts queries and responses over a RESTful interface and transmits them over HTTP. This is a strong technological advancement. However, the DoH standard does not define how an application should choose the resolver. Until recently, there were two ways to discover a DoH server: attempt to access DoH on the resolver handed to the application by the operating system or use one provided by the application provider.

The first method involves a bit of a guessing game. When applications try to use DoH on existing resolvers, they attempt an HTTP request over port 443 to the resolver that they learn from the operating system. The request is tested to see if a valid response is received. This requires that the DoH capability be directly bound to the existing hosts that offer DNS over UDP port 53. While this might be a reasonable first attempt to bootstrap DoH, in the longer term these services may have different scaling qualities. In addition, if the version of HTTP changes, applications would have to determine this by trying one HTTP version and then another. Also, in general, it is not good to send requests that the other side might not expect to receive.

Figure 2: Normal DNS versus Application-Controlled DNS

When non-cooperating applications or platforms choose their own resolvers, they bypass the DNS-based malware protections available to the IT administrator (illustrated in Figure 2). This circumvents the will of the user or administrator. If your resolvers are not seeing DNS queries from browsers, this may be what is happening. Moreover, if browser developers were to use a small number of DNS resolver services, one could reasonably expect the existing resolver infrastructure capacity to diminish over time due to lack of demand. This is where we begin to become concerned about overall system resilience. Many of these services on their own are highly resilient. But when they fail, they risk taking out a very large number of services for large portions of the population—at the same time. Because DNS is a fundamental service used by every application, we must pay close attention to this risk.

One key form of protection from these sorts of failures is choice. When enterprises and individuals have the choice of product, the risk of large-scale failures due to a monoculture is considerably diminished.

Enter Discovery of Designated Resolvers

The new proposal, known as Discovery of Designated Resolvers (DDR), provides a new way for clients to query locally designated resolvers for a record that indicates whether the DoH service is available. Either an application or the underlying platform can make use of DDR to locate a DoH resolver by first querying for a list of resolvers using a new DNS record called Service Binding (SVCB). SVCB works similarly to the highly tested, well-known service (SRV) record, but also allows for additional application parameters, such as Application-Layer Protocol Negotiation (ALPN) information for transport layer security (TLS). The current proposal offers several different approaches for clients to authenticate resolvers. One requires that a certificate contain an IP address. Another approach omits that requirement but requires that the IP address of the DDR-discovered resolver have the same IP address as the unauthenticated resolver. A third approach bases the resolver discovery on a name rather than an IP address. We expect these models to develop further as the DDR proposal matures.

Figure 3: Discovering DNS over HTTP with DDR

DDR resolves both visibility and scalability concerns, avoiding guesswork by developers. The infrastructure can be exercised so that a large and thriving resolver ecosystem can continue to flourish, with queries and responses encrypted, and reduce the risk of concentration of resolver services. DDR also has the potential to reduce individual device configuration complexity that is handled today by mobile device managers. What is needed are a few new records in resolvers and appropriate certificates on the resolvers.

There are several issues that DDR needs to resolve, such as how to address scaling of large numbers of resolvers, and it sometimes requires validation of IP addresses in certificates. That is a mechanism with which we currently have limited experience at scale. It also often relies on unauthenticated processes to discover the IP addresses of the resolvers that need to be in those certificates. Also, how to securely identify resolvers in devices outside an enterprise environment needs a bit more consideration.

Moving Forward and What Cisco Customers Should Do Now

As currently envisioned, DDR is the best secure resolver discovery proposal to date, but we expect this entire solution space to continue to evolve. A list of DNS resolvers is just one critical element of network configuration that needs to be securely learned. There are many others. The key is to establish trust between the end device and the network infrastructure and then rely on that trust to receive configuration information.

How do we bootstrap that trust? That is another area that the industry needs to devote more time and resources to establish.

For our enterprise, industrial, and small business customers, Cisco’s recommendation is that administrators deploy a secure and reliable resolver service that provides a layered defense against exfiltration and BOTnets—for all devices at all times whether at home, work, or elsewhere. Combined with DNSCrypt or DoH, Cisco Umbrella offers a needed level of protection for safety, security, scalability, and stability.

Because the stability and security of the Internet is an important topic, you may also wish to participate in this discussion hosted by the IETF. DDR will be discussed over the coming months and then submitted for approval. Participation in IETF activities is open to all and there is no cost to join the mailing list discussions.

Source: cisco.com

Continue reading

Threat Trends: DNS Security, Part 1

Part 1: Top threat categories

When it comes to security, deciding where to dedicate resources is vital. To do so, it’s important to know what security issues are most likely to crop up within your organization, and their potential impact. The challenge is that the most active threats change over time, as the prevalence of different attacks ebb and flows.

This is where it becomes helpful to know about the larger trends on the threat landscape. Reading up on these trends can inform you as to what types of attacks are currently active. That way, you’ll be better positioned to determine where to dedicate resources.

Our Threat Trends blog series takes a look at the activity that we see in the threat landscape and reports on those trends. After examining topics such as the MITRE ATT&CK framework, LOLBins, and others, this release will look at DNS traffic to malicious sites. This data comes from Cisco Umbrella, our cloud-native security service.

We’ll briefly look at organizations as a whole, before drilling down into the number of endpoints connecting to malicious sites. We’ll also look at malicious DNS activity—the number of queries malicious sites receive.

Overall, this can provide insight into how many malicious email links users are clicking on, how much communication RATs are performing, or if cryptomining activity is up or down. Such information can inform on where to dedicate resources, such as topics requiring security training or areas to build threat hunting playbooks.

Overview of analysis

We’ll look at DNS queries to domains that fall into certain categories of malicious activity, and in some cases specific threats, between January and December of 2020. While performing this analysis we looked at a wide variety of threat trends. We’ve chosen to highlight those that an organization is most likely to encounter, with a focus on the categories that are most active.

It’s worth noting that we’re deliberately not making comprehensive comparisons across categories based on DNS activity alone. The fact is that different threat types require varying amounts of internet connectivity in order to carry out their malicious activities. Instead, we’ll look at individual categories, with an eye on how they rise and fall over time. Then we’ll drill further into the data, looking at trends for particular threats that are known to work together.

Organizations and malicious DNS activity

To start off, let’s look at organizations and how frequently they see traffic going to sites involved in different types of malicious DNS activity. The following chart shows the percentage of Cisco Umbrella customers that encountered each of these categories.

To be clear, this does not indicate that 86 percent of organizations received phishing emails. Rather, 86 percent of organizations had at least one user attempt to connect to a phishing site, likely by clicking on a link in a phishing email.

Similar stories present themselves in other categories:

◉ 70 percent of organizations had users that were served malicious browser ads.

◉ 51 percent of organizations encountered ransomware-related activity.

◉ 48 percent found information-stealing malware activity.

Let’s take a closer look at some of the more prevalent categories in further detail, focusing on two metrics: the number of endpoints alerting to malicious activity (depicted by line graphs in the following charts), and the amount of DNS traffic seen for each type of threat (shown by bar graphs in the charts).

Cryptomining

It’s not surprising that cryptomining generated the most DNS traffic out of any individual category. While cryptomining is often favored by bad actors for low-key revenue generation, it’s relatively noisy on the DNS side, as it regularly pings mining servers for more work.

Cryptomining was most active early in the year, before declining until summer. This, and the gradual recovery seen in the later part of the year, largely tracks with the value of popular cryptocurrencies. As currency values increased, so too did the rate of activity. For example,  researchers in Cisco Talos noticed an increase in activity from the Lemon Duck threat starting in late August.

It’s also worth noting that there’s little difference there is between “legitimate” and illicit cryptomining traffic. Some of the activity in the chart could be blocks based on policy violations, where end users attempted to mine digital currencies using company resources. In cases like this, administrators would have good reason for blocking such DNS activity.

Phishing

The amount of phishing-related DNS activity was fairly stable throughout the year, with the exception of December, which saw a 52 percent increase around the holidays. In terms of the number of endpoints visiting phishing sites, there were significant increases during August and September.

This is due to a very large phishing campaign, where we see a 102 percentage-point shift between July and September. More on this later, but for now, take note of the point that dramatically more endpoints began clicking on links in phishing emails.

Trojans

Similar to cryptomining, Trojans started the year strong. The incredibly high number of endpoints connecting to Trojan sites was largely due to Ursnif/Gozi and IcedID—two threats known to work in tandem to deliver ransomware. These two threats alone comprised 82 percent of Trojans seen on endpoints in January.

However, the above-average numbers from January were likely tied to a holiday-season campaign by attackers, and declined and stabilized as the year progressed.

In late July, Emotet emerged from its slumber once again, comprising a massive amount of traffic that grew through September. This threat alone is responsible for the large increase in DNS activity from August through September. In all, 45 percent of organizations encountered Emotet.

Ransomware

For most of the year, two key ransomware threats dominated—one in breadth, the other in depth.

Beginning in April, the number of computers compromised by Sodinokibi (a.k.a. REvil) increased significantly and continued to rise into autumn. The increase was significant enough that 46 percent of organizations encountered the threat. In September, overall queries from this particular ransomware family shot up to five times that of August, likely indicating that the ransomware payload was being executed across many of the impacted systems.

However, this is a drop in the bucket compared to the DNS activity of Ryuk, which is largely responsible for the November-December spike in activity. (It was so high that it skewed overall activity for the rest of the year, resulting in below-average numbers when it wasn’t active.) Yet the number of endpoints connecting to Ryuk-associated domains remained relatively small and consistent throughout the year, only showing modest increases before query activity skyrocketed.

So, while one threat corrals more endpoints, the other is much busier. Interestingly, this contrast between the two ransomware threats correlates with the amount of money that each threat reportedly attempts to extort from victims. Sodinokibi tends to hit a large number of endpoints, demanding a smaller ransom. Ryuk compromises far fewer systems, demanding a significantly larger payment.

Tying it all together

In today’s threat landscape, the idea that ‘no one is an island’ holds true for threats. The most prevalent attacks these days leverage a variety of threats at different stages. For example, let’s look at how Emotet is often delivered by phishing in order to deploy Ryuk as a payload. While the data below covers all phishing, Emotet, and Ryuk activity, as opposed to specific campaigns, a clear pattern emerges.

Remember the 102 percentage-point shift in phishing between July and September? This lines up with a 216 percentage-point jump in Emotet DNS activity. Activity drops off in October, followed by an eye-watering 480 percentage-point increase in Ryuk activity.

Emotet’s operations were significantly disrupted in January 2021, which will likely lead to a drop-off in activity for this particular threat chain. Nevertheless, the relationship presented here is worth considering, as other threat actors follow similar patterns.

If you find one threat within your network, it’s wise to investigate what threats have been observed working in tandem with it and take precautionary measures to prevent them from causing further havoc.

For example, if you find evidence of Ryuk, but not Emotet, it might be worth looking for Trickbot as well. Both Emotet and Trickbot have been seen deploying Ryuk in attacks, at times in coordination, and other times separately.

Sure enough, Trickbot follows a similar pattern in terms of DNS activity—lower in the first half of the year, busy in August and September, then quiet in October. However, Trickbot was active between November and December, when Emotet was not, likely contributing to the phenomenal increase in Ryuk activity during these two months.

Preventing successful attacks

As mentioned earlier, the data used to show these trends comes from Cisco Umbrella, our cloud delivered security service that includes DNS security, secure web gateway, firewall, and cloud access security broker (CASB) functionality, and threat intelligence. In each of these cases, the malicious activity was stopped in its tracks by Umbrella. The user who clicked on a phishing email was unable to connect to the malicious site. The RAT attempting to talk to its C2 server was unable to phone home. The illicit cryptominer couldn’t get work to mine.

Umbrella combines multiple security functions into one solution, so you can extend protection to devices, remote users, and distributed locations anywhere. Umbrella is the easiest way to effectively protect your users everywhere in minutes.

Also, if you’re looking to get more information on the malicious domains that your organization encounters, Umbrella Investigate gives the most complete view of the relationships and evolution of internet domains, IPs, and files — helping to pinpoint attackers’ infrastructures and predict future threats. No other vendor offers the same level of interactive threat intelligence — exposing current and developing threats. Umbrella delivers the context you need for faster incident investigation and response.

Up next

In this blog we looked at the most active threat categories seen in DNS traffic, as well as how evidence of one threat can lead to uncovering others. In part two, we’ll break the data down further to examine which industries are targeted by these threats. Stay tuned to learn more about the impact on your industry!

Methodology

We’ve organized the data set to obtain overall percentages and month-on-month trends. We’ve aggregated the data by the number of endpoints that have attempted to visit certain websites that have been flagged as malicious. We’ve also aggregated the total number of times websites flagged as malicious have been visited. These numbers have been grouped into meaningful threat categories and, when possible, have been marked as being associated with a particular threat.

We’ve also applied filtering to remove certain data anomalies that can appear when looking at malicious DNS traffic. For example, when a C2 infrastructure is taken down, compromised endpoints attempting to call back to a sinkholed domain can generate large amounts of traffic as they unsuccessfully attempt to connect. In cases like these, we have filtered out such data from the data set.

The charts use a variation of the Z-score method of statistical measurement, which describes a value’s relationship to the mean. In this case, instead of using the number of standard deviations for comparison, we’ve shown the percent increase or decrease from the mean. We feel this presents a more digestible comparison for the average reader.

Source: cisco.com

Continue reading