It's become virtually impossible to protect against all the threats all of the time – not without disconnecting all your systems from the internet... and perhaps not even then…
Without the option of reverting to the pre-digital age, the trend for cyber-security professionals has been to increase their vigilance and awareness of what's going on in and around their networks. There's an understanding that everyone is under attack for a lot of the time, and that if blocking attackers completely isn't possible, keeping tabs on what they're up to is vital to limit any potential exposure, data loss or breaches.
But this is hard to do. There are a thousand different security monitoring tools that investigate and trigger alerts on everything from firewall exceptions to unauthorised access to data, and the more tools you have doing this, the more likely it is you'll face up against false positives, and struggle to find the vital needles in haystacks you need to keep your organisation protected. And of course, as automated network security has become more sophisticated, so have cyber-criminals. They continually probe for and discover new vulnerabilities to exploit, be they in people, process or technology. The enterprise security software gets you so far in providing automated mitigation against these threats, but good old-fashioned detective work is essential too.
One of the key areas to look for clues as to the activity of cyber-criminals is DNS traffic. Generally regarded to be too messy, with too much data coming in too fast to use as a basis for security investigations, new tools are making real time data analysis and exploration possible. This is turning previously ignored data in to a source of valuable insight.
Here are three key cyber-security insights real-time analysis of DNS traffic can reveal:
1. Probing spikes. Botnets are a resource that can be rented on the dark web; so attackers may run probing challenges using smaller Botnets and/or small amounts of Botnet rented time to see how your systems hold up. Being aware of this can make you aware that something is going on, and that a more dramatic attack, be it a DDoS attack or an attempt to exploit a software vulnerability, may follow. This should put you on high alert and trigger the preparations such an attack might require.
2. Massively distributed traffic sources. If you notice thousands of requests from unusual destinations, atypical from the ordinary traffic you have, you may once again be facing a Botnet launched attack, and can start to evaluate measures to mitigate it. The initial waves of these sorts of attacks aren't always overwhelming, but may well signal that a larger attack may follow, and relatively simple measures – like temporarily blocking DNS traffic from some of the less likely sources of genuine traffic for your organisation – may prove helpful in mitigating its impact.
3. Anomalous traffic patterns. If you notice unusual behaviour in the way your own systems and servers are reacting to internet traffic, you may have uncovered a vulnerability. We observed this ourselves when looking at the traffic from certain name servers within our network. In this case it prompted us to work with Internet Systems Consortium to patch the software vulnerability in question, but often it may result in more prosaic discoveries, such as outdated server software, which could prompt a simple patch process to secure you against possible exploits.
In the future, it will be possible to use these insights to mitigate threats in real time – where getting 10,000 requests in seconds from 10,000 sources is more than any human or current automated system can easily deal with, real-time DNS analysis will make it possible to dynamically filter out unclean traffic and provide a real assurance against the threat of DDoS attacks (attacks that can cripple websites and online services).
Cyber-security is only going to occupy an increasing proportion of the IT team's time. As well as the technical experts, some data-scientist-type forensic investigators looking for clues in your organisation's DNS data might be a key defence against these attacks in the future.
Contributed by Chris Griffiths, director & general manager, new products & business development, Nominet