Is your data being exfiltrated?

CERT-LatestNews Malware Security News ThreatsActivists ThreatsCybercrime ThreatsEconomic ThreatsStrategic Uncategorized
Rene Bosman, Manager, Infoblox Africa.

Rene Bosman, Manager, Infoblox Africa.

This bold statement by Rene Bosman, Manager at Infoblox Africa, is supported by the statistics. Gartner puts the average time taken to detect a data breach at 99 days.

Bosman says: “Data theft traditionally involves the use of malware to infiltrate the network and exfiltrate the data. A growing trend we’re seeing is that around 90% of malware and botnet attacks are using the DNS (domain name system) to infiltrate a network. Classic anti-virus and firewalls aren’t effective against this type of attack, which is why this weak spot in most businesses is being targeted.”

When it comes to keeping your network secure, there are three aspects, the first of which is infrastructure protection. Obviously increased movement to the cloud and hybrid infrastructure poses its own set of challenges, says Bosman. The second aspect is data protection and malware mitigation, where users and their data are protected. Finally there’s threat containment and operations, which is about responding quickly and effectively.

  See also


What’s concerning, says Bosman, is that traditional DNS systems are still wide open to attack. “Businesses generally have no visibility or security around their DNS, but there’s a growing realisation that this system has weaknesses that can be exploited. Over the past four months, while doing security assessments at businesses across the country, we’ve picked up a significant increase in the number of data breach initiatives targeting networks. Businesses should never compromise their DNS and should invest in enterprise- or carrier-grade DNS systems.”

According to the DNS Security Survey (December 2014) 46% of respondents said their organisation experienced DNS data exfiltration, while 45% of respondents had experienced DNS tunnelling to bypass network access or security controls.

The goal of these data breach attacks can be hacktivism, espionage or financial, and they traditionally target regulated data, personally identifiable information, intellectual property or company financial information and payroll data.

Bosman says: “Regardless of the industry you’re in, your data is at risk. If your customer data or confidential data is leaving your company, and you don’t know where it’s going, you have a serious security threat. The Ponemon Institute puts the average consolidated cost of a data breach at $4 million. What business can afford an attack of this magnitude?”

A contributing factor to the increase in attacks is that cyber criminals are simply becoming smarter. If you look at security from a traditional perspective, there are two possible approaches; there is the data that certain categories of staff can’t access, and then there is the behavioural DNS traffic, which is where cyber criminals are focusing their attention.

Bosman explains: “Cyber criminals change the behaviour of the DNS request by inserting information in front of the domain name, most people don’t notice this and transact as usual on the Web site. The DNS becomes the data exfiltration platform, this can happen over days, weeks or even years and the business doesn’t realise. Bosman says. There are multiple well publicised examples of where this has happened.

The challenge, according to Bosman, is how you are using your threat intelligence data and feeds to keep your security systems up to date. Which is where behaviour-based protection at DNS level comes to the fore. “You need the ability to look at the information included in the domain name and see if there’s something there that doesn’t belong. This can then be flagged and blocked immediately, based on entropy methodologies.”

This is the first step in creating a cyber kill chain. The second step is to share that information with your ecosystem partners or vendors in your network as it might be relevant for their security so that they can update their firewall or endpoint security. Bosman says: “Businesses need to create a holistic overview of all security incidents to create a cyber kill chain in order to remediate the problem.”

Steps to creating a cyber kill chain:
* Understand what authorised and unauthorised hardware is on your network;
* What authorised and unauthorised software is on your network;
* Do you have the latest secure configurations for the abovementioned hard- and software;
Look at your malware defences, are you running the latest versions?
* Is your security configuration for the network at the level it should be
* Consider boundary defence – is your Web site secure against a DNS attack? This includes whether your service provider also has DNS protection.
* Do you have data protection to prevent data from leaving the company and landing up in the wrong hands?

Bosman concludes by saying: “The shorter the cyber kill chain, the faster you can remediate a solution. Which is why sharing information with third parties, such as a SIEM, is so critical, so that everyone around you is equally effective and secure. Ultimately, this is what shortens the kill chain.”

Our comments policy does not allow anonymous postings. Read the policy here