Understanding the DNS Attack Surface

Mohammed Al-Moneer, Regional Director, META at Infoblox, explains about the various MITRE ATT&CK techniques that use DNS.

The MITRE ATT&CK Framework

The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework was developed and released by the MITRE Corporation in 2015. It is a comprehensive knowledge base of cyber attacker TTPs gathered from the observation of attacker behavior. MITRE is a non-profit organization that works with U.S. government agencies in a wide variety of areas.

As an important knowledge base, MITRE ATT&CK enables anyone on a cyber defense team to review and contrast attacker activity and then understand the best options for defense. In addition, there is also MITRE PRE-ATT&CK, which helps cyber defenders prevent an attack before the attacker can gain access to the network. The 15 top-level tactic categories of PRE-ATT&CK correlate to the first two stages of the Lockheed Martin Cyber Kill Chain®. PRE-ATT&CK presents the tactics, underlying techniques and procedures that a cyber attacker will use to define targets, gather information and then launch an attack.

MITRE ATT&CK introduced a lexicon that is now in common use and describes the activities of cyber attackers and the step-by-step tactics and techniques they use. This lexicon enables researchers to communicate clearly on the exact details of a threat.

MITRE ATT&CK provides a consistent method for describing current security controls and processes. This allows cyber defenders to clearly identify the nature of a threat, map that threat back to the controls that should protect against it and then ultimately determine whether that control is effective.

The MITRE ATT&CK framework supplies a comprehensive taxonomy to post-exploitation behavior of cyber attackers. The framework-provides detailed insight into attacker behavior and can be the best way to find and stop an ongoing attack before data exfiltration or destructive behavior can occur. MITRE ATT&CK can help organizations make better decisions about assessing risks, deploying new security controls and defending networks. Security solutions have begun to integrate the MITRE ATT&CK framework into their solutions as well, helping researchers and analysts to more easily map security information and events coming from these solutions to the framework.

MITRE ATT&CK has broken down the structure of attacks in a very consistent way that makes it straightforward to compare them and then determine how an attacker might have exploited the targeted network. Attacker analysis primarily focuses on their activities in terms of perimeter defense. MITRE ATT&CK takes a very focused look at attackers once they get in.

Mapping the DNS Attack Surface with MITRE ATT&CK

Everything on your networks—whether on premises, in the Cloud, Internet of Things (IoT) or mobile—will need to use DNS services. DNS provides centralized visibility and control of all computing resources, including users and servers in a micro-segment, all the way to an individual IP address. Cyber attackers can leverage unprotected DNS services in many ways.

Under the ATT&CK framework, a tactic is the goal an attacker is trying to achieve, and the techniques and sub-techniques are the ways of achieving that goal. Mitigation of these techniques and sub-techniques requires comprehensive DNS security solutions. The following MITRE ATT&CK techniques and sub-techniques explicitly define how cyber attackers will target and use DNS services.

MITRE ATT&CK Techniques That Use DNS

Let’s take a close look at the Reconnaissance tactic: gathering information that can be used to plan future attacks. MITRE ATT&CK defines two techniques (and multiple sub-techniques) that attackers employ extensively to use DNS:

• T1590: Gathering Victim Network Information
Information might include administrative data (such as IP ranges and domain names) and specifics about the network’s topology and operations.
o .001 Domain Properties: Information might include the domain(s) the victim owns, administrative data (such as names and registrars) and more directly actionable information, such as contacts (email addresses and phone numbers), business addresses and name servers.
o .002 DNS: DNS information might include registered name servers and the records that outline addressing for a target’s subdomains, mail servers and other hosts.
o .004 Network Topology: Information might include the physical and/or logical arrangement of both external-facing and internal network environments. This information might also cover specifics about network devices (such as gateways and routers) and other infrastructure.
o .005 IP Addresses: Public IP addresses might be allocated to organizations by block or as a range of sequential addresses; adversaries might attempt to determine which IP addresses are in use. IP addresses can enable an adversary to derive other details about a victim, such as the size of the victim’s organization, the victim’s physical location(s), the internet service provider and/or where and how the victim’s publicly-facing infrastructure is hosted.

• T1598: Phishing for Information
Adversaries send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information attempts to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from phishing in a general sense: the objective of the former is to gather data from the victim, but the objective of the latter is to execute malicious code.

.003 Spear Phishing Link: Adversaries might send spear-phishing messages with a malicious link, to elicit sensitive information that can be used during targeting. Spear phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spear phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (such as Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages.

All of these MITRE ATT&CK–DNS-related techniques and sub-techniques define areas of potential risk for your organization. If your DNS, DHCP and IPAM infrastructure is undefended, attackers will quickly discover and utilize these areas.

It is a fact that most malware and advanced threats must rely on the use or compromise of DNS to execute and complete their attack successfully, and DNS can often be used to avoid detection by standard security tools. Having a DNS security solution will close this security gap and can enhance the rest of the security ecosystem to strengthen defenses against sophisticated threats.

DNS security works at the ground level—that’s why we say it is foundational. It is designed to prevent users or devices from connecting to malicious destinations, and to detect anomalous behaviors in the network such as C&C communications, advanced persistent threat activity, domain generation algorithm (DGA) activity, botnet communications, DNS tunneling, and data exfiltration, and more.