DNS and the Challenge of Advanced Persistent Threats

Most cyber attacks are the online equivalent of a smash-and-grab robbery.

Most cyber attacks are the online equivalent of a smash-and-grab robbery. Criminals tend to leave shortly after finding the information they are looking for, restricting network functionality, or performing an act cyber vandalism.

“Advanced persistent threat” is a term used for the opposite of a smash-and-grab. It’s the “long con” of cyber attacks. A term originally coined by the US military, advanced persistent threats are a breed of malicious network activity that require a new defensive posture. Often used by foreign intelligence services, they are the most common weapon of choice for attacks against critical infrastructure.

In an advanced persistent threat, malware is inserted onto the network and then left there, undetected, for months or even years. During this time, the malware may simply be dormant, or it may slowly search through the network for something worth stealing. When malicious actors decide the time is right, they move into the active phase of the attack, triggering the malware to execute on their long-term plan.

Advanced persistent threats are notoriously difficult to detect, and even harder to protect against. Since this kind of threat is internal and may not ping an outside network, the tactics used by detection software, filters and firewalls aren’t always effective.

Internal Network Defense

As the core of any network’s infrastructure, DNS data can play a critical role in identifying and eliminating advanced persistent threats. Most filters and firewalls are external-facing. They only track and trace malware as it interacts with areas outside the network. A client-facing DNS-based security strategy, on the other hand, can monitor and intercept threats as they move around inside a network.

Using DNS for internal network defense can also help to associate malicious activity with a particular client or server. Where an external-facing firewall, filter, or SIEM might alert IT security personnel that something isn’t right, a client-facing DNS monitoring system will pinpoint the infected computer directly, allowing administrators to take concrete action to mitigate the threat.

DNS infrastructure also offers the opportunity to set policies that can prevent the spread of advanced persistent threats within a network. If malware is designed to scan internal network drives for sensitive data, a DNS policy can prevent those connections by shutting down network traffic that originates from clients without a need to access that information. Even on clients with privileged access to sensitive data, DNS pattern analysis can often detect behavioral aberrations, the signatures of malware, and mitigate the threat.

Advanced persistent threats are a growing concern in the cyber security community – and for good reason. They are designed precisely to seep into network infrastructure in ways that are difficult to detect. A layered security strategy that includes the ability to monitor internal DNS traffic and set policies accordingly offers a stronger defense against this insidious threat.

Critical conversations on critical infrastructure

Find out how your peers are managing their networks through profound change. Watch this series of live interactive discussions with IT pros & join the debate in Slack.

Join the conversation

Read more

Six non-hype network automation lessons from IT pros

Five IT pros get real about network automation during the first Critical Conversation on Critical Infrastructure hosted in the Network VIP community.

Read more
BlueCat’s DDI Adaptive Plugins and Applications help IT teams better leverage ServiceNow, Ansible, Microsoft, and more

A growing suite of Adaptive Plugins and Applications will help automate existing BlueCat capabilities along with adjacent customer technologies.

Read more
BlueCat appoints Stephen Devito as Chief Executive Officer

BlueCat, the Adaptive DNS Company™, today announced that Stephen Devito has been named Chief Executive Officer effective September 11, 2020.

Read more
Technical Know-How: Deploying DDNS with BlueCat

Dynamic DNS automatically updates DNS records when an IP address changes. Learn how to deploy DDNS on the BlueCat Address Manager and DNS/DHCP server.

Read more

Subscribe to our blog

Products and Services

From Core Network Services to multicloud management, BlueCat has everything you need to build the network you need.

Learn more