Breaches Using DNS TXT Records Thwarted By Global Telecommunications Provider

 

THE CHALLENGE

A major telecommunications provider in Europe found itself under attack from a threat actor using DNS TXT records as a mechanism to connect to command and control servers hitting specific domains and IPs. A TXT record (short for text record) is a type of resource record in the Domain Name System (DNS) used to provide the ability to associate arbitrary text with a host or other name, such as human readable information about a server, network, data center, or other accounting information.

Threat Actors can use DNS TXT or EDNS type records, which allow large unstructured strings to be sent - and send encoded data and receive encoded responses

Incumbent detection mechanisms to detect an attack of this nature would be via a rule. The rule would be triggered by the occurrence of the specific IPs and domains. This is an imprecise mechanism of detecting this threat, since it leaves enterprises vulnerable to the threat actors modifying the attack vector by changing the IPs and domains used in the attack. A more precise mechanism would be to examine the DNS TXT records themselves. Unfortunately most incumbent systems are not able to store DNS information (since it is cost prohibitive), or able to detect these in real time.

This prevents businesses for looking for the behaviour of messaging going out at a high rate, leaving businesses stuck with rudimentary mechanisms of threat detection.

THE SOLUTION

By adopting VASA by RANK Software, the business was able to adopt a more precise way of detecting these threats by looking for the behaviour of hitting domains and IPs at a high rate. VASA ingests network data in real time and extracts all the protocol information from the network packet including DNS information. All the data ingested is stored within VASA without any loss of data fidelity, thus allowing threat hunters to query for and write rules to detect threats from their entire trove of enriched network data.

In this case, VASA enabled the enterprise to look for high rate of DNS TXT requests (which encapsulated the behaviour of this threat actor), and returned all the IPs and domains that were being hit. This insulated the enterprise from the likely action of the threat actor modifying the IPs and domains being used in the attack. In addition to accurately detecting the behaviour, VASA helped this business find other non-compliant users of DNS TXT including employees that were running  employees using browser based bittorrent clients.

THE RANK DIFFERENCE

RANK is uniquely able to deliver this solution through:

  • An ability to write rules and detect TTPs (Tactics, Techniques and Procedures)
  • Real-time security analytics
  • Hunting for tools, techniques and procedures instead of simply looking at specific, atomic events

Get a Demo