While Kaspersky lab denies the allegations and is fighting the issue in court, the Department of Homeland Security decided to take immediate action.
DHS issued a directive in September 2017 ordering all Federal government departments to remove Kaspersky Lab software from their networks – a ban that continues to have ripple effects across the private sector as well.
In December, the directive was enshrined into law by Section 1634 the National Defense Authorization Act of 2017 (Public Law 115-91), which says that “no department, agency, organization, or other element of the Federal Government may use, whether directly or through work with or on behalf of another department, agency, organization, or element of the Federal Government, any hardware, software, or services developed or provided, in whole or in part, by Kaspersky Labs.” Agencies were given a hard deadline of October 1, 2018 to comply with the law, and DHS was given the power to measure compliance across government agencies.
Removal leads to troubling discovery
As it happens, removing Kaspersky Lab software isn’t as simple as hitting the delete button. According to a recent report, Kaspersky Lab code is “embedded deep within infrastructure, in routers, firewalls, and other hardware—and nobody is certain how to get rid of it.”
BlueCat knows about this problem firsthand.
During a recent deployment of our DNS Edge security capability at a customer that had decided to remove Kaspersky Lab’s software, we found a great deal of activity on the network after the customer believed they had the issue under control.
DNS Edge picked up signatures indicative of installed Kaspersky Lab software from clients where it was supposed to be absent. The signatures included regular checks of the Kaspersky upgrade servers and attempted activations. Most of these beacons happened irregularly, suggesting periodic searches for updates. A few devices exhibited a great deal more activity, however, pinging Kaspersky sites several times each day.
The customer’s existing filters, firewall, and client agents were not catching any of this activity. While these and other layers of security could have been configured to catch and alert, we believe that DNS is painfully underutilized as an obvious signal and control point. Software that depends on the network ultimately must use DNS as a normal course of action, whether for appropriate or inappropriate intent. This simple fact makes it an incredible source of intelligence as to what is actually happening on the network.
Leveraging DNS exposed what other solutions didn’t
Since DNS Edge is client-facing on the first DNS hop, it was able to link Kaspersky-related beaconing activity to specific IP addresses and tangible devices on the network without any additional need to correlate logs or integrate with other systems. Prior to deploying DNS Edge, the customer was unaware of any beaconing activity – its external facing firewalls either weren’t catching it or weren’t able to pinpoint a source for the problem.
Reviewing the DNS Edge data with the customer, BlueCat was able to point out the ongoing presence of Kaspersky Lab software on the network and identify the non-compliant devices it originated from. With DNS Edge constantly keeping track of beaconing activity, the customer can continue to track any attempts to connect with Kaspersky Lab sites. Knowing that this software may still be lurking on the network, the customer can also create security policies which monitor or block any DNS queries right at the client level.
Using DNS for security needs and beyond
The use case for DNS as a confirmation mechanism goes beyond security as well. Network administrators often use DNS as a way to test the viability of migrations. If DNS queries aren’t resolving to the right place, then something wasn’t placed correctly. Just as DNS Edge can trace the beaconing from the remnants of legacy software, it can also trace the “calls home” from software that was recently reconfigured or moved.
This is why DNS-based security is a vital tool for both network administrators and security departments – it verifies the effectiveness of cybersecurity measures and provides the granular visibility needed to trace any lingering issues back to specific devices, while at the same time providing visibility into “normal” network operations. DNS Edge provides shared visibility and control over internal and external DNS traffic through a single platform in order to help detect and block cyberattacks, simplify DNS operations and improve network performance.
Want to learn more about how DNS-based security can identify lingering pieces of malware on your network? Delve into the details of DNS Edge here.
Critical conversations on critical infrastructure
Find out how your peers are managing their networks through profound change. Watch this series of live interactive discussions with IT pros & join the debate in Slack.
SUNBURST/Solorigate Situation Briefing
BlueCat leaders discuss how the malware attack via SolarWind’s Orion platform exploited DNS and how BlueCat Edge could have helped to detect it.
Yes, IT should see what developers do in the cloud
Errors and outages occur when admins lack visibility into DNS and IP allocation in the cloud. With Bluecat, central DDI visibility is within reach.
Customer situation brief on SUNBURST/Solorigate
Learn more about the attack via the SolarWinds Orion platform and how BlueCat products use DNS to help protect customers against compromises like it.
On the road to platform hardening, consider a STIG
Security Technical Implementation Guides standardize security configuration on networks, servers, and devices. BlueCat uses them and you can, too.