How to Disrupt Ransomware Using DNS, DHCP and IPAM
If you have not heard about either WannaCry or Jaff, I would suggest you start by reading my blog to learn more about the two attacks and how they spread. The large-scale ransomware attacks infected hundreds of thousands of computers worldwide and the demand for ransom ranged from a few hundred dollars to over three thousand dollars.
Both WannaCry and Jaff like other ransomware, and most modern malware, uses DNS at one or more stages of the cyber kill chain. DNS may be used during the reconnaissance phase when it is a targeted attack. It is used in the delivery phase as potential victims unknowingly make DNS queries for IP address involved in the attack. It will also be used in the email delivery process when the ransomware propagates via spam campaigns. Likewise, the exploitation phase may involve DNS queries when the victim’s system is compromised and infected. DNS is frequently used when an infected system checks in with the command and control (C&C) infrastructure. WannaCry and Jaff are no different. In addition to using a vulnerability in Microsoft Server Message Block (SMB) to spread, during its initial infection, WannaCry tries to resolve a particular domain name (killswitch) - hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. Jaff communicates with its command and control server using DNS, as it is about to start the encryption of users’ files.
Given that DNS plays such a important role in the ransomware kill chain, it becomes a crucial control plane to prevent, identify, and detect such attacks and resolve them faster. Here are a few things that Infoblox recommends you do with DNS, DHCP and IPAM (DDI).
Mitigating WannaCry, Jaff and Other Ransomware using DNS, DHCP and IPAM
- Implementing DNS Response Policy Zone (RPZ): RPZ provides the ability to associate policies that govern access to a certain domain or category of domains. For example one might prevent access to all domains known to be associated with malware. Traditional security technologies don’t understand DNS conversations and have limited visibility into DNS communications. This creates a security gap between when malware initiates communication via DNS and the first time a traditional firewall inspects client web traffic. A DNS security layer including RPZ functionality is needed to fill this gap. To find out more about what this means you can attend our upcoming Cricket Liu Live event.
- Monitoring DNS queries: In addition to making sure all patches are installed in a timely manner to prevent ransomware from exploiting vulnerabilities in old software, monitoring DNS queries to detect communications to killswitch domains is key. In the case of WannaCry, permitting the infected client to successfully connect to the killswitch domain would have prevented the encryption function from executing. One best practice for countering this attack is to redirect the requests for these killswitch domains to an internal sinkhole. To stay on top of kill switch domains, access to threat intelligence information and being up-to-date on security events is critical.
- Using consolidated, curated and updated threat intelligence in DNS infrastructure and in other existing security infrastructure will provide protection against new malicious domains, IPs and URLs. For example, a number of Necurs DGA and C&C domains used in Jaff ransomware attack were already added to Infoblox threat intelligence feeds back in April. So customers of Infoblox were already protected against Jaff, even before the attack emerged.
- Visibility and Discovery: Knowing what’s on the network is as important as securing what’s on the network. According to SANS critical security controls, inventory of authorized and unauthorized devices is where organizations should start when they are thinking about security. Infoblox provides visibility and discovery of the entire physical, virtual and cloud infrastructure. It automatically discovers new networks, IP addresses and adds or syncs them to the IPAM It includes information about subnets, device and end host attributes for a comprehensive and accurate view of the network.
- DNS, DHCP and IPAM data: Given where DDI sits in the network, it has valuable data about device activity and actionable network context (like what type of device it is, where it is in the network, who it is assigned to, lease history). This information can be used for detailed visibility into infections and for prioritizing remediation. In addition to providing the ability to export this data to your existing SIEM or other analytics solution, Infoblox offers out-of-the-box reports that provide you with such reporting capabilities.
- Working together as part of one security ecosystem is critical to threat detection and incident response. When network and security tools work in unison and share critical information automatically, it becomes much easier for SOC teams to contain threats. When Infoblox detects something malicious, a new device or virtual workload on the network, it automatically shares that event information and context with existing security infrastructure like next-gen endpoint security, SIEM, vulnerability scanners and NAC solutions. This triggers the security tools to either scan the device for vulnerabilities or prevent access to the network until it is deemed complaint with policy.
The past several attacks have demonstrated the increased sophistication of the attackers and the attacks, and there is no silver bullet to prevent such attacks. The list above is a reflection of the comprehensive nature of the response required to match the sophistication of the attackers.
To try out Infoblox’s Secure DNS solutions that can help provide protection against ransomware, DNS based data exfiltration and more, signup for a free 30-day eval: