Facebook was, and as a result they were able to discover that they were suffering from a serious internal compromise. In the words of Facebook’s Chief Security Officer, Joe Sullivan: “The attack was discovered when a suspicious domain was detected in Facebook’s Domain Name Service request logs.“
So what is DNS and why is monitoring it an important part of keeping your organization secure?
Put simply, DNS is the system that takes friendly names like facebook.com and converts them into addresses that machines understand, like 220.127.116.11.
Watching the DNS requests being made by your systems allows you to identify network level indicators of compromise. In the case of Facebook, the domain that didn’t look right to the security team was corp-aapl.com. Facebook then worked with an unnamed third party to seize control of this domain and “sinkhole” it. This action allows the defensive team to pretend to be the botnet command and control system, in an attempt to see who connects. This tactic revealed that Apple, Twitter and Microsoft had been compromised by the same attacker.
This was some fine work on the part of Facebook, but what is the small company without a security team supposed to do?
Gunter Ollmann wrote a fantastic post called Persistent Threat Detection on a Budget that provides a high level view of how small shops can start using DNS logs to identify threats. His key points are as follows:
- Turn DNS logging on!
- Use blacklists to block obvious bad traffic
- Blacklist entire countries your organization shouldn’t be initiating traffic to
- Scrape your DNS logs at least once a week
- Log failed lookups (NX domain) as these help identify malware that uses generated domain algorithms
It may be difficult to convince your lean mean development team to take time off of knocking out stories in Pivotal to setup the necessary tech to log your DNS queries. To help them get back to coding, here are a few links to speed them on their way (updated 18 March 2013 @ 13:46 MDT with suggestions from Reddit):
- Bash script from SANS to detect anomalies in DNS logs
- SecurityOnion: LiveCD using Bro for DNS visibility
- PassiveDNS: small C based program to extract/cache DNS queries/answers from pcap
- RPZ: Bind based DNS firewall
Now if only somebody would create a software defined security service that would allow you to quickly and easily perform this type of analysis and mitigation across all of your cloud instances from the comfort of your web browser.