Most companies put serious effort into preventing cyber-attacks. Despite preventive measures, one should be aware that an internal system or host can still be compromised. PCs, laptops, servers, printers, or Internet of-Things devices mainly use Domain Name Servers (DNS) to initiate actual communications with other internal systems and / or the Internet. However DNS is also misused by hackers to hide communications. For example, malware on an infected host may make use of the DNS to connect to its command-and-control infrastructure. An Advanced Persistent Threat (APT) has been discovered recently which abused DNS: Carbanak. This attack lasted for months and was not discovered by any commercial security product. In order to detect internal machines that are infected with such malware it is beneficial to monitor DNS traffic.
Our real-time DNS monitoring solution detects deviations from normal behavior in DNS data traffic which can indicate fraud or malware. It sends these events to a Security Information and Event Manager (SIEM) or other destinations, where they can be combined with other security-related information, thereby enabling richer SIEM detection rules.
Our real-time DNS monitoring solution utilizes a combination of anomaly detection approaches. One of these algorithms focusses on the “Domain Generation Algorithms” (DGA) used by some malware that generate a large number of domain names to remain undetected and difficult to block via blacklists. Our algorithm calculates the likelihood of a domain name being generated from a DGA in a DNS request.
Detected events are send to the SIEM, where they can be combined with other security-related information, thereby enabling richer SIEM detection rules. The number of events to the SIEM can be managed by configuring the statistical thresholds of the used algorithms. The developed algorithms have already shown benefits in complementing regular malware detection tools.
Our solution can be integrated into security products such as intrusion detection systems (IDS), firewalls, and anti-virus products.
The current global cyber security market is worth more than US$120 billion. The estimated yearly growth rate until 2021 is about 10-12%. The cyber security market is extremely competitive. Vendors are competing based on the effectiveness of their products. Our solution can increase the detection rate of their product, thus making their value proposition more attractive to potential customers.
For a large number of security products that currently do not monitor DNS traffic, this makes companies vulnerable to DNS-based malware attacks. The Carbonak case shows that the lack of adequate security measures can cause millions of dollars in damages. This could have been prevented with our real-time DNS monitoring solution.