DNS and the Challenge of Advanced Persistent Threats

Most cyber attacks are the online equivalent of a smash-and-grab robbery.

Most cyber attacks are the online equivalent of a smash-and-grab robbery. Criminals tend to leave shortly after finding the information they are looking for, restricting network functionality, or performing an act cyber vandalism.

“Advanced persistent threat” is a term used for the opposite of a smash-and-grab. It’s the “long con” of cyber attacks. A term originally coined by the US military, advanced persistent threats are a breed of malicious network activity that require a new defensive posture. Often used by foreign intelligence services, they are the most common weapon of choice for attacks against critical infrastructure.

In an advanced persistent threat, malware is inserted onto the network and then left there, undetected, for months or even years. During this time, the malware may simply be dormant, or it may slowly search through the network for something worth stealing. When malicious actors decide the time is right, they move into the active phase of the attack, triggering the malware to execute on their long-term plan.

Advanced persistent threats are notoriously difficult to detect, and even harder to protect against. Since this kind of threat is internal and may not ping an outside network, the tactics used by detection software, filters and firewalls aren’t always effective.

Internal Network Defense

As the core of any network’s infrastructure, DNS data can play a critical role in identifying and eliminating advanced persistent threats. Most filters and firewalls are external-facing. They only track and trace malware as it interacts with areas outside the network. A client-facing DNS-based security strategy, on the other hand, can monitor and intercept threats as they move around inside a network.

Using DNS for internal network defense can also help to associate malicious activity with a particular client or server. Where an external-facing firewall, filter, or SIEM might alert IT security personnel that something isn’t right, a client-facing DNS monitoring system will pinpoint the infected computer directly, allowing administrators to take concrete action to mitigate the threat.

DNS infrastructure also offers the opportunity to set policies that can prevent the spread of advanced persistent threats within a network. If malware is designed to scan internal network drives for sensitive data, a DNS policy can prevent those connections by shutting down network traffic that originates from clients without a need to access that information. Even on clients with privileged access to sensitive data, DNS pattern analysis can often detect behavioral aberrations, the signatures of malware, and mitigate the threat.

Advanced persistent threats are a growing concern in the cyber security community – and for good reason. They are designed precisely to seep into network infrastructure in ways that are difficult to detect. A layered security strategy that includes the ability to monitor internal DNS traffic and set policies accordingly offers a stronger defense against this insidious threat.

Heading into the cloud?

See how your network can thrive in the complexity of the cloud.

Find answers to all your cloud-related questions.

Access cloud resources

Read more

Everything you need to know about shadow IT

When users implement their own solutions behind the IT team’s back, that’s shadow IT. Learn about the risks and how to manage and reduce it with BlueCat.

Read more
Five network pros’ manual error horror stories

Members of BlueCat’s Network VIP community detail the errors they committed, the resulting fallout, and what important lessons they learned.

Read more
10 best Ansible modules for infrastructure as code

10 (plus a bonus) Ansible automation modules that anyone—from a beginner to a power user—can leverage to transform their network infrastructure to code.

Read more
How an agency IT chief innovated amid bureaucracy

Government IT innovation isn’t easy, but Chad Sheridan did it at the USDA by removing silos, earning top-level buy-in, and moving to a product mindset.

Read more

Products and Services

From Core Network Services to multicloud management, BlueCat has everything you need to build the network you need.

Learn more