Domain Name Services – Friend & Foe
Every reader of this blog will know that the Domain Name Service is a program/component/server role (depending on how old you are and how you take your poison) which turns the names for Internet resources like websites, mail servers etc. into their registered IP addresses.
More technical readers (and we would really like to understand the breakdown of our blog readers) will know that DNS has a quite complex history. Originally designed in 1983 and proposed as RFC’s 882 and 883. Until then, the world’s largest distributed network ARPANET used a single WHOIS.TXT file maintained manually by Elizabeth Feinlan with additions and deletions requested over the telephone.
Obviously, after tearing out a lot of her hair, Ms Feinlan developed the concept of domains, proposals were submitted and DNS and its predecessor BIND were born as a distributed, hierarchical naming system which although heavily extended is still in use pretty much everywhere today.
Of course, young pretenders such as Banyan’s Vines and Novell Directory Services (OK, not strictly exact competitors but certainly wanted to be) have been and gone. DNS is here for the foreseeable.
Whilst we are on a history lesson, and we think that history in the tech and cyber worlds is very important, moving in cycles as they tend to, it is pretty much the case that Novell, who had by far the largest Enterprise network Server market share, was brought to its knees because Novell resisted native implementation of standards such as TCP/IP (really kids) and DNS whilst Microsoft (at the time well known for reinventing many wheels) were quick to support them. There is a lesson in there for all of us.
Whilst performing apparently simple tasks, DNS is extraordinarily complex under the hood with many implementations built on legacy code, think beards and sandals. For anyone interested, the O’Reilly book DNS and BIND is a cracker.
DNS records are also very rich in data, which brings us to the first piece of this week’s news.
Epik, describing itself as the ‘Swiss bank of the domain industry’, provides services to many (often) far-right groups (such as enablers of civil unrest in the USA, Parler) which have been banned from mainstream domain registrars. The company is run by one ‘Robert Monster’. The words you are looking for are nominative determinism. We looked it up so you didn’t have to.
It has come to light this week that Epik was warned about bugs on its Website by security researcher Corben Leo in January, who reasonably enough asked about a bug bounty. Epik/Monster did not respond. The rest is history.
In addition to Epik’s credibility being shattered, you can rest assured that law enforcement and investigative journalists will be all over the data. Watch this space!
DNS is also often used for nefarious purposes, for instance, to use a wireless network without authentication, or to exfiltrate data without detection. This is because many Enterprise configurations allow DNS requests from anywhere to anywhere outbound by default, so hackers tunnel traffic inside the DNS requests – DNS tunnelling. It is slow but very effective.
Although detected by many perimeter security technologies, if configured correctly, DNS tunnelling has been an issue for years and is still widely used by the bad guys, including our old associates’ nation state-sponsored actors.
This week, the research arm of Recorded Future, the Insikt Group (insikt is Swedish for insight), uncovered exfiltration of data from an Indian media giant, attributed to Chinese state-sponsored actors named TAG-28 (by Insikt) using good old DNS tunnelling.
What lessons can be learned from these two tales? We have the following suggestions:
- Heed the warnings of bounty hunters and consider a bounty scheme, even a small one.
- Understand that many components of your infrastructure, seemingly simple, look like the car from Back To The Future under the hood and it is important to have expert advice on tap.
- Best practice configuration of simple tooling is often more effective than default deployment of complex (and expensive) security solutions that you cannot effectively manage, especially after John the fan of a specific security technology has left the building.
- Understand that hackers and their methods range from very simple to very complex and very sneaky. Actively look for threats and activity in your environment, or engage a partner to do this for you regularly.
- Don’t provide services for extremists if you can help it. Try not to be a monster !
Tiberium has extensive expertise in best practice configuration, threat hunting and security architecture. Our managed services FROST and MYTHIC deploy automatically, configuring components to best practice in hours not weeks, improving your security posture from day one.
Tiberium’s MYTHIC service includes regular threat hunting and, yes, we would notice DNS abuse.
Tiberium is running an online SOC analyst training event on the 6th of October 2021, where you will learn the how to tackle a cyber incident using Azure Sentinel and Microsoft Defender.
Explore the power of Kusto Query Language (KQL) and the automation capabilities of the Microsoft Security stack, follow along and pick up skills that you can use within your own SOC.
Sign up for it here and if you have people you work with, or know who would find this useful, do recommend it to them.
Let us show you the future. Contact us.
Epic is a song by Faith No More. The chorus repeats the words ‘What is it?’. We think it is best to have a good idea of what it might be before it is too late and we are happy to help you understand the risks to your business before they happen.