Featured Image: Detecting and Blocking DNS Tunneling in OT Environments

Hyas Blog | Detecting and Blocking DNS Tunneling in OT Environments

In previous posts, we have discussed how most malware must employ the domain name system (DNS) at some point in their attack as well as how protective DNS (PDNS) solutions can detect this behavior and block these DNS requests. In these cases, while the DNS requests and responses involved in an attack are facilitating communication with malicious intent, the protocol itself is working exactly as it was designed to. However, there is a different category of DNS-based attacks that exploits features inherent to the protocol itself, one of which is DNS tunneling. This can be especially troubling when the attacks target OT networks, as its effects can reach beyond the target organization and affect the public at large. 

What Is DNS Tunneling?

DNS tunneling is a way to exchange data between an infected networked device and an outside entity using only normal-looking DNS requests and responses. This is a relatively reliable attack vector as no matter the environment — IT or OT — most devices use DNS. Afterall, DNS is essentially the glue holding the internet together, letting people navigate it in a user-friendly way while ensuring requests are fulfilled quickly and accurately. This ubiquity means DNS infrastructure attacks can be used to target a variety of devices and can generally traverse networks unnoticed. This can be especially destructive when the targets in question are OT networks, as not only can they interrupt the money-making side of a business, they can also result in real world repercussions, such as outages (power, water, telecommunications), spills (oil, chemical, etc.), fires, explosions, or evacuations. 

In an OT environment, a surprising number of devices employ DNS, even if you think they aren’t accessing the internet. Time synchronization via NTP, software and firmware updates, alert messaging, these are all systems that potentially utilize DNS. 

How does DNS Tunneling Work?

Many security platforms record DNS traffic, but don’t actively monitor it. Because of this, DNS traffic is allowed to traverse networks relatively freely. DNS tunneling generally works by encoding data into the hostname label of DNS queries to exfiltrate it and using the resource record of a DNS response package to receive data from its command and control (C2). The content of the requests isn’t inspected, so these look like legitimate DNS requests. The only way to root out this malicious communication is by having full network visibility at the DNS level. 

But this is not the only method of DNS tunneling. In a scenario I set up for our new webinar on DNS tunneling threats to OT networks, I used a slightly different approach to transmit data. Using a wildcard domain, our imaginary bad actor can transmit data from a target machine by adding it to the request as subdomain information. So if, for instance, sinisterautomation.com is the hypothetical domain controlling the attack, it could receive data in the form of: <stolen>.<information>.sinisterautomation.com. The threat actor could then use a script to automatically compile all of the strings of data they received into meaningful data. 

As DNS tunneling works by piggybacking malicious data onto legitimate DNS requests, it must operate within the confines dictated by the protocol. Because of this, only a maximum of 512 bytes of data can be transferred per request. This is a paltry amount, which means it takes a massive number of requests to transfer anything meaningful. A protective DNS solution can help monitor DNS traffic for irregular patterns, such as a sudden, inexplicable increase in the number of requests from a device or beaconing behavior, to identify tunneling attacks and cutting them off immediately.

Combating DNS Tunneling

The DNS monitoring and filtering offered by protective DNS solutions like HYAS Protect is the most comprehensive and efficacious method of mitigating DNS tunneling risk. No matter the type or goal of the tunneling malware in question, it needs to make DNS requests to its command and control infrastructure in volume during the attack. Based on advanced threat detection and understanding of adversary infrastructure, HYAS protect can detect this suspicious behavior and send an alert or automatically block all communication with the malware, rendering it inert. 

The safety granted by HYAS Protect extends far beyond DNS tunneling. In addition to dealing with other types of malware and phishing scams, the enhanced network visibility it grants can also let administrators track down remnants of malicious code post-attack or help them enforce company policies. 

To combat threats that target DNS infrastructure, you need a solution that gives you visibility into your DNS traffic and the ability to shut down anything nefarious immediately. This is especially true in OT environments, where compromises can have massive repercussions and where older infrastructure and lack of visibility presents ripe targets. Learn more about HYAS Protect and all of the risk mitigation it offers beyond DNS tunneling by getting in touch or scheduling a demo.