Locky is a new cyberthreat that has received a lot of attention in security circles over the last few months because it has been unusually successful. Locky is advanced ransomware that encrypts a person’s files and holds them for ransom. It uses a number of different technologies to avoid being detected or blocked and takes great care to hide its path back to the attackers. The code is obfuscated to avoid detection by antivirus and malware software. The blackmailers communicate through TOR and only accept Bitcoin as payment, making it nearly impossible to discover who they are.
Nominum Research continues to refine algorithms, working toward more generalized methods to quickly detect “anomalous” activity that might represent DDoS, bots, or various other undesirable behaviors. To simplify somewhat, algorithms examine high speed, real-time, data streams and compare a small window of incoming queries to a very large “normal” historical sample on a continuous basis. Unexpected variations are flagged and relevant data is captured for further analysis.
The DNS has played an essential role since the earliest days of the Internet, resolving an IP address when given a domain name. Now it’s being considered for security applications. There are many fundamental reasons why it makes sense:
Today’s hackers are all about money, they constantly change the face of their exploits to maximize their returns. These agile attacks require agile defenses. Moving security protections into the network is essential to enabling more reliable updates of threat information; aggregation also provides significant scaling and manageability benefits. DNS-based security protections improve agility because DNS queries are a leading indicator of security exposure; from a strategic vantage point the DNS participates in web transactions that provide visibility into the presence of security threats.
Network operators and IT departments constantly reassess their security exposure and evaluate the best methods for protecting their networks and end users. New security solutions are always emerging to help them and one that’s starting to receive a lot of attention is the DNS. That’s raising an obvious question: “how in the world does the DNS become a security platform?”.
Everyone agrees protecting Internet users from malware and social engineering exploits like phishing is a valuable thing to do. At minimum these attacks are a nuisance because they degrade the Internet experience, worst case they can be costly and dangerous. But protecting networks and end users is becoming more difficult because attackers are making their exploits more dynamic and thus harder to detect. This is stressing some solutions, like client software, that have been a primary means of protecting end systems.
Just as it’s important for service providers and enterprises to maximize the performance and availability of their caching DNS servers, it’s important for brand owners and IT departments to ensure the robustness of their Authoritative DNS. Some of the issues are similar, but ensuring security of Authoritative data also has to be considered.
An earlier post talked about how important it is to maximize the responsiveness and availability of caching DNS in order to maintain a good user experience. It focused on the benefits of using Anycast. There are several other things worth considering for caching DNS as covered below: