Case Study: U.S. Logistics Company
The Customer
The U.S. logistics company has an annual revenue of nearly $69 billion. If it was a private company, it would rank 43rd in the 2015 Fortune 500 and 137th in the 2015 Global Fortune 500 list.
To support its massive operational footprint of nearly 32,000 facilities and over half a million employees, the logistics company has one of the world’s largest computer networks.
Technology is at the center of the company’s business strategy. It uses the world’s most advanced tracking and information systems to speed the flow of mail and packages throughout its network, creating literally billions of data points (and DNS queries) every day. The company leverages advanced data analytics to empower employees and customers, creating new products and services to spur growth.
The logistics company has long recognized the value of DNS to its core network operations. In 2008, the company used BlueCat’s DNS Integrity product to centralize and automate core DNS functions. This streamlined its DNS architecture, dramatically increased the stability of their network, and created the foundation for higher level initiatives such as self-service provisioning and automation. Moving to a centralized DNS architecture also allowed the company to easily implement the DNS-related controls required by NIST 800-53, which the company uses as a guideline.
The Challenge
With a centralized architecture in place, the logistics company began to look at ways that DNS could solve a series of long-standing cybersecurity challenges.
Visibility into internal network traffic
Networking staff deployed a sophisticated set of boundary-level filters and firewalls to control outbound network traffic. Yet underneath that boundary, the internal workings of the network had fewer controls, leaving the company open to advanced persistent threats and the work of malicious insiders.
Data exfiltration
The company had no mechanism to protect itself from data exfiltration through DNS tunneling, a common pathway used by malware.
Guest network visibility
The company runs a separate, walled-off network for on-site contractors, but had no mechanism to monitor or block malicious activity on this network.
Forensic investigations
The network team was often tasked with assisting in forensic investigations by the cybersecurity staff or Inspector General’s office. Combing through data logs and correlating activity across multiple domains was a serious drain on productivity and delayed action on the Inspector General’s significant caseload.
SIEM data
The cybersecurity team uses Splunk as its “single pane of glass” to monitor and act on potential security vulnerabilities. Cybersecurity staff wanted to add DNS data as a threat indicator in Splunk.
The Solution
BlueCat approached IT managers with a proposal to leverage its centrally managed DNS architecture to gain new visibility into patterns of network activity.
BlueCat proposed a pilot deployment of DNS Edge, a client-facing DNS security system. With DNS Edge in place, network administrators would gain full visibility into both internal (“east-west”) and external (“north-south”) DNS traffic. Using that strong source of intelligence, DNS Edge would provide the ability to implement security policies which block, monitor, or redirect DNS queries. The comprehensive logs of DNS information produced by DNS Edge would also make forensic investigations and real-time monitoring of network operations simpler.
In 2018, BlueCat went live with the first implementation phase of DNS Edge on the logistics company’s network. BlueCat also deployed DNS Edge with a Splunk integration, allowing security users to ingest and analyze anomalous DNS data across the enterprise for the first time. BlueCat delivered training to the network and security teams, certifying them in the operation of DNS Edge, use of security policies, and techniques for monitoring malicious network activity.
The Impact
DNS Edge produced immediate results on all of the the logistics company’s targeted initiatives.
| Before DNS Edge | After DNS Edge |
| No visibility into internal network traffic | DNS Edge monitors ~3.2m internal queries per day; security policies automatically block malicious/anomalous behavior |
| No mechanism to identify or block data exfiltration through DNS | DNS Edge blocks tunneling, domain generating algorithms and other data exfiltration signatures; ~720 blocks per hour |
| Forensic investigation response time averages eight days due to data correlation challenges | Searchable log of all DNS data (queries and responses), allows for correlation of relevant data in an average of six hours |
| No visibility into activity on the guest network; no ability to enact security policies on the guest network | DNS Edge monitors and applies security policies to all devices on the guest network |
| DNS data not available in Splunk | Edge providing relevant DNS data for analysis in Splunk with connection back to real-time mitigation in the Edge UI |
DNS Edge Security Findings
Following an initial data collection period, BlueCat and the security team conducted a joint review of anomalies and potential issue areas identified by DNS Edge. This review showed a series of serious threats which required immediate mitigation.
Threat #1: Cryptocurrency Mining
The review of DNS Edge data showed queries to known cryptocurrency mining sites. This was an indication that malware was using the company’s computing resources to produce cryptocurrency, exporting the results to remote servers. The mining operations were highly coordinated and targeted, occurring largely at times of day where use of computing resources were low and the activity less likely to be discovered.
The company’s existing firewall settings were able to treat the symptoms of cryptojacking, but not eliminate the underlying problem. The firewall effectively blocked execution of the cryptomining results back to the remote server based on blacklists applied to payload data.
Yet the firewall failed to block DNS-based command and control functions, and was unable to identify the source IP of infected devices. The clients were still infected and using up valuable computing resources, even if the results of that compute weren’t making it to the outside internet.
With the comprehensive client-facing logs produced by DNS Edge, cybersecurity team was able to quickly associate cryptojacking activity with individual devices and direct its remediation activity accordingly. With the security policy functions of DNS Edge, the company was able to disrupt the full range of communication between the cryptojacking software
and remote servers.
Threat #2: IoT Devices
The logistics company uses a significant number of connected devices and sensors as part of its daily operations. These can include everything from mail sorters to security cameras to mobile phones. While these devices increase productivity and provide a great deal of useful data to the enterprise, they also represent a cybersecurity risk.
During the deployment of DNS Edge, the company discovered potentially malicious activity originating from IoT devices. Several devices on their network were constantly beaconing to foreign servers. This activity may ultimately prove benign (the software could be searching for routine updates) or additional investigation might demonstrate a command and control relationship.
Context is critical to determining whether beaconing activity is malicious or not. DNS Edge provided the company’s networking and cybersecurity staff the information they needed to decide how they were going to treat this activity:
- DNS Edge provided the source IP address, allowing IT staff to locate which device was beaconing to foreign servers
- DNS Edge provided the query type, indicating what sort of information the device was seeking
- DNS Edge provided the response information, which shows how the remote server directed the IoT device
Using this contextual data, the logistics company is now in a position to quickly perform the necessary investigation and mitigate any potential risks to the network.
Threat #3: DNS Tunneling and Exfiltration
DNS tunneling is a method of data transfer which embeds substantive information inside otherwise normal DNS queries. Not all uses of DNS tunneling are malicious – in fact, many anti-virus software systems use DNS tunneling for updates. Yet DNS tunneling is often used by malware for data exfiltration, and can be difficult to identify. Gaining visibility into the extent of DNS tunneling and the context around it is critical.
Using DNS Edge, network administrators were able to identify the extent of DNS tunneling activity on their network for the first time. With a comprehensive view of the source IP, destination, and response from this activity, adminstrators will be able to sort out malicious DNS tunneling from legitimate use.
As a picture of “normal” DNS tunneling emerges over time, network administrators will be able to compose granular security policies which monitor, block, or redirect suspicious DNS tunneling activity. These security policies close a significant data exfiltration loophole in the network.