The three methodologies behind DNS threat detection

Intelligent and analytical identification of anomalies in DNS activity is key to stopping threats before they become a real problem says Dr Malcolm Murphy, systems engineering manager, Infoblox

The three methodologies behind DNS threat detection
The three methodologies behind DNS threat detection

One or more of three methods – reputation, signature, and behaviour – form the basis of the actions performed by every security product that carries out threat detection – including protection against threats exploiting the Domain Name System (DNS).

Reputation, reputation, reputation

Reputation is the oldest method and most commonly used for threat detection. Ratings on Amazon, eBay or TripAdvisor, for example, help us determine whether or not to buy a particular product or eat at a certain restaurant.

What's important about reputation is the research behind it; the number of sources. After all, a large number of ratings or reviews is likely to be a more reliable gauge of reputation that is just a handful.

A firewall will often use a reputation-based feed to recognise external threats, as will an email list, and even some trusted executables.

As with the consumer example, the greater the pool of sources that contributes to this list, the more accurate and reliable it will be. But the real strength of a list relies on the researchers that contribute to it, as well as the data they provide.

For example if a certain domain is blacklisted but that information isn't shared, only a researcher will know who, if anyone, is guilty by association. After all, a name is either on a list, or it isn't.

In practice, a DNS firewall can save time and resources by checking both sides of a DNS transaction - queries and responses - against a reputation-based list at every iterative step. If there's no match, the query is allowed. Should a bad actor be identified at any stage, however, the process should stop there, preventing further look ups on other names hosted by the same malicious domain.

Checking the signature

Every online transaction has its own particular signature and so, therefore, does every threat. A DDoS attack, for example, will always have a certain marker, performing in a certain way.

Threat detection solutions need to look for specific signatures in every DNS transaction. If found, a decision must be made whether to pass it or deny it.

If too many identical signatures come in at once, they should be denied. There's nothing wrong with carrying out a transaction with a three-way TCP handshake, for example, but if there are 10,000 of them per second, this is very likely a flood or amplification attack.

It can take time to dissect and understand all aspects of an attack before a signature is established. But once researchers have identified a malicious attack's signature, it's very difficult for cyber criminals to breach protected systems.

That's not normal behaviour

By establishing what normal behaviour looks like, behavioural analytics are able to identify abnormal behaviour. Unlike with reputation and signature, behaviour-based threat detection is adaptive, and can be applied to everything that happens as it happens. It learns as we do.

Analytics will look at contiguous sequences of the same item, and whether a certain number of characters appear together too many times in the same word or string, such as six sixes in a row, or three fours. Grammatically, data doesn't work like this; this is what encryption looks like.

Typically, during a tunnelling protocol or exfiltration attempt, DNS queries will be the same size each time. Behaviour-based threat detection will look to see how many queries by a particular user are of different sizes, as they should be in the case of most genuine DNS transactions.

It will look at the number of queries being made to a particular domain over a certain period of time, and the answers that are returned to these queries and, as most DNS queries are made up of words, it will check whether or not this is the case.

These factors provide a behavioural score, to help explain whether particular DNS traffic is genuine or an attempt at slowly and quietly exfiltrating corporate information using DNS queries.

In isolation or in combination

Each of the three methods has its own peculiarities, and one may be better suited to detecting a particular form of threat than the others.

Some security solutions may use more than one method. Many firewalls will use a combination of reputation and signature, for example, looking at the signatures of certain attacks and comparing them against reputational feeds for their block lists.

Others may combine behaviour and reputation to determine whether something executing on an endpoint is good or bad.

Ultimately, in isolation or in combination, employing an intelligent and analytical approach to identifying anomalies in DNS activity is key to stopping threats before they become a real problem.