Using DNS-layer security to detect and prevent ransomware attacks

This year has seen a dramatic uptick in ransomware attacks, with high-profile incidents like the Colonial Pipeline attack or the Kaseya attack dominating news cycles. The frequency and cost of these attacks have prompted many cybersecurity professionals to investigate more robust ransomware protection solutions, like DNS-layer security. But how can you make sure your organization’s security posture is as effective as possible? That’s the question we set out to answer during our Black Hat 2021 session: Using DNS-layer security to detect and block dangerous campaigns.

At Cisco Umbrella, we’ve seen plenty of cyberattacks play out across vulnerable networks. Using the data we’ve gathered while researching emerging threats – including the recent wave of ransomware attacks – our team has developed a set of solutions that maximize our use of recursive DNS servers to improve security across networks. We’re confident that this approach to DNS-layer security can help keep your network safe from bad actors as well.

Did you miss our talk? Don’t worry – you can view the recorded session online or read the highlights below:

Observing DNS-layer activity can help you identify sophisticated threats

The Domain Name System (DNS) allows clients to connect to websites, perform software updates, and use many of the applications organizations rely on. Unfortunately, the DNS layer is also one of the least secure aspects of many networks: DNS packets are rarely inspected by security protocols and they pass easily through unblocked ports. So, it only makes sense that today’s sophisticated threats – including ransomware attacks – tend to operate at the DNS layer.

Of course, just because most security teams pay little attention to DNS-layer activity doesn’t mean that you have to do the same. In fact, you can configure your recursive DNS servers to gather data useful for designing and implementing proprietary defense algorithms or performing threat hunting at scale. For example, the Cisco Umbrella DNS resolvers gather data:

  • From authoritative DNS logs that can reveal potential attacks through newly staged infrastructures, BulletProofHostings, and malicious domains, IPs, and ASNs
  • From user request patterns that can reveal in-progress attacks through compromised systems and command and control callbacks

While partnering with a prosumer DNS-layer security provider like Cisco Umbrella is always an option when it comes to data gathering, we go into more detail on configuring your own recursive DNS servers to gather this data during our presentation.

A graphic that uses arrows to illustrate DNS-layer activity flowing from any device, to recursive DNS servers, to authoritative DNS servers and then back again. Underneath the image are two bulleted lists. The first reads: "User request patterns used to detect: compromised systems, command and control callbacks, algorithm-generated domains, domain co-occurrences, and newly seen domains." The second list reads: "Authoritative DNS logs used to find: newly staged infrastructures, BulletProofHostings, and malicious domains, IPs, and ASNs."

Understanding how ransomware attacks happen can help you either prevent or mitigate threats

While the exact tactics, techniques, and procedures (TTPs) vary from scenario to scenario, most ransomware attacks tend to follow the same basic flow:

  • A client navigates to a compromised domain on the Internet, accidentally downloading a weaponized file containing a malicious program
  • The file launches an event chain designed to establish a post-exploitation framework on the affected network
  • The malicious program moves laterally to other computers on the network
  • Multiple computers are infected by the ransomware program, which encrypts all business-critical data

Starting in 2020, most ransomware attacks have added another step to the process: data exfiltration. Before encryption, the program transports business-critical data from the client’s network to the threat actor using DNS tunnels. This allows the threat actor to place additional leverage on their victim – instead of simply losing their data, companies find themselves facing the prospect of having that data leaked online or sold to the highest bidder on the dark web.

What’s more, since ransomware attacks can take as little as five hours to execute, detecting an in-progress attack can be difficult unless you have a strong DNS-layer security system designed to recognize these attacks.

Popular tools used in ransomware attacks rely on DNS-layer activity

Earlier, we mentioned how most ransomware attackers make use of the fact that network administrators don’t secure DNS-layer activity. In fact, we’ve observed that some of the most common attack frameworks rely heavily on DNS tunneling, both to gain a foothold across the network and to allow the threat actor to exfiltrate data or execute command and control attacks.

Examples of the attacks that make use of DNS tunneling techniques include:

  • The DNS beacon that originated in the CobaltStrike penetration testing tool used in most high profile ransomware attacks
  • Supply-Chain attack SUNBURST used DNS tunnelling during post-exploitation
  • APT group OilRig heavily leverages Data exfiltration through DNS tunnels in its cyber espionage campaigns

In our presentation, we go into more detail on the way these frameworks have been used by threat actors in the past and how they might be used in the future. But the common element these frameworks share – the use of DNS activity – is enough to suggest that DNS-layer security may become more important than ever as we prepare for upcoming attacks.

The strongest ransomware protection combines attack prevention and attack mitigation tactics

We’ve talked a lot about how the data gathered from recursive DNS servers can help identify threats. But DNS-layer security goes further than information gathering; a strong security posture should also help protect networks from attacks. At Cisco Umbrella, we configure our recursive DNS servers to do this in two ways: by preventing clients from connecting to suspicious domains – stopping attacks before they start – and by detecting unusual DNS-layer activity that could indicate an in-progress attack – allowing security teams to isolate infected systems and mitigate the damage.

Ransomware protection that prevents attacks

Using DNS-layer security to prevent ransomware attacks from occuring in the first place is an approach that many organizations favor, and with good reason: This tactic prevents any post-exploitation losses.

While the algorithms used by traditional recursive DNS servers will flag certain risky domains, this built-in defense often leaves much to be desired. It evaluates the domain’s age and reputation when determining whether a client should be allowed to connect to it, but allows bad actors to bypass these DNS-layer security protocols using staged domains in good repute.

At Cisco Umbrella, we work around this shortcoming by configuring our recursive DNS servers to flag any anomalous domains for deeper review before allowing clients to connect. This approach weeds out many more dangerous domains, minimizing the window of time in which a user is vulnerable from around 24 hours to mere minutes.

While the Cisco Umbrella team provides this service as part of our DNS-layer security offerings, we also discuss how you can configure your own resolvers to behave similarly in our presentation.

Ransomware protection that identifies in-progress attacks

While preventing the initial compromise may be the ideal form of protection, this approach is not a silver bullet. The tactics employed by threat actors constantly evolve, making it possible for certain ransomware attacks to slip past even the most tightly woven nets. This is why your DNS-layer security solution should also contain protocols that help it detect in-progress attacks.

For those looking to secure DNS activity, this involves incorporating a system that flags any anomalous DNS tunneling in a network. As mentioned earlier, most ransomware attacks make use of DNS tunneling to establish both bi-directional and unidirectional communication between an attacker and the systems on your network. If the DNS activity isn’t secure, this allows the threat actor to stay under the radar until their attack is nearly executed. But if your DNS-layer security solution carefully monitors network DNS activity, you can start mitigating the effects of an attack before they become catastrophic.

Cisco Umbrella offers DNS-layer security that helps protect clients from threats now and in the future

At Cisco Umbrella, we strive to offer customers the best protection possible by combining multiple detection and remediation techniques that help them prepare for the threats coming their way. This includes reactive DNS-layer security algorithms, real-time heuristics, and real-time behavioral detection. What’s more, we strive for as much transparency as possible, providing our clients with real-time statistics which we used when deciding to block connection to a domain.

Want to learn more about how Cisco Umbrella makes use of DNS-layer security to protect clients from ransomware attacks? Listen to our full Black Hat 2021 presentation!

Source :