The front end for the CDN sends the request to the web server's instance that the attacker controls on the content delivery network, which then forwards that request into the attacker's origin server, he explained.ĭomain fronting has shown attackers that they can host things on cloud services and still undermine many organizations, he said. "Then the malware will issue an HTTP 1.1 request with a host header asking for something other than that trusted site - it's actually asking for the attacker site, but it's inside the TLS connection, so the network defenders can't see what's inside there, it's all encrypted." "The way this starts is the compromised machine with the malware on it, will send a DNS request for some trusted website, a trusted website that is hosted on a CDN where the attacker is also a customer - the attacker sets up some accounts on that specific CDN," he explained.
It abuses the way content delivery networks (CDNs) and cloud service providers redirect traffic. Domain frontingĭomain fronting is a technique used by attackers to obscure where the attacker is located, where the command and control is coming from, and where the bad guy is exfiltrating data to, Skoudis said. "If you do deploy DNSSEC remember that you need to have both signed DNS records, as well as validation for those if you deploy just half of this you have not deployed DNSSEC," he said. He also advised them to deploy Domain Name System Security Extensions ( DNSSEC), which strengthens authentication in DNS by using digital signatures based on public key cryptography.
Operations personnel should also monitor for any changes publicly associated with their DNS records or any digital certificates associated with their organization, he added. If you do deploy DNSSEC remember that you need to have both signed DNS records, as well as validation for those if you deploy just half of this you have not deployed DNSSEC.Īn effective way to defend against DNS attacks, Skoudis said, is implementing multifactor authentication, or at least two-factor authentication, whenever organizations are making changes to their DNS infrastructure. "You could monitor for changes in your DNS record with threat monitoring, but even they you spotted that, it's going to take an hour to tell you and you've already had an hour's worth of traffic going through. McKenzie also said it's extremely hard to detect this type of DNS manipulation because "it happens so quickly." Stuart McKenzie, vice president of Mandiant consulting, EMEA, at FireEye, discussed the DNS attacks on a different RSA panel and said that while the campaign involved careful planning and several stages, altering DNS records to redirect traffic isn't all that challenging. Skoudis referenced the extensive DNS attacks waged against enterprises and government agencies recently in a campaign dubbed "DNSpionage," which was later attributed to Iranian threat actors. "They will click on the link saying 'yes, I own this domain' and then get a certificate issued." the email goes from the CA to your enterprise, which of course is now flowing through the bad guy's mail server," he said. "The bad guys will apply for a certificate at a place like Comodo or Let's Encrypt. They are also applying for TLS certificates and using certificate authorities (CAs) that allow organizations to verify that they own a domain by simply clicking on links that are sent to the email for their given domain, he said. "In fact, what they're doing is they're manipulating the mail exchanger record so that email destined for your organization is actually being redirected to the bad guys' mail servers, so they could intercept the email that way," he told RSAC attendees.
Attackers are using compromised credentials, usernames and passwords to log in to DNS providers and name registrars to manipulate the DNS records there so that an enterprise DNS points somewhere else instead of to an organization's own infrastructure, Skoudis said.