• Resources
  • U.S. Logistics Company improves DNS security & visibility with BlueCat
DNSSecurity

U.S. Logistics Company improves DNS security & visibility with BlueCat

See how a major U.S. logistics company improved DNS security, visibility, and threat mitigation using BlueCat Integrity and Edge solutions.

US Logistics Company case study docks image
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.

A U.S. logistics company with nearly $69 billion in annual revenue and a network spanning ~32,000 facilities leveraged a centralized DNS architecture and BlueCat’s DNS Edge to address long-standing cybersecurity gaps. The company used DNS Edge to gain comprehensive visibility into internal (east-west) and external (north-south) DNS traffic, integrate DNS telemetry into Splunk, and enforce security policies that block or redirect malicious DNS activity. Results included millions of internal queries monitored daily, automated blocks of tunneling and anomalous behavior, faster forensic investigations, and mitigation of threats such as cryptomining, suspicious IoT beaconing, and DNS-based data exfiltration.

How did DNS Edge improve visibility into internal network traffic and what operational impact did that have?

DNS Edge provided full visibility into both internal (east-west) and external (north-south) DNS queries, monitoring approximately 3.2 million internal queries per day for the logistics company. This client-facing logging exposed device-level source IPs, query types, and DNS responses, enabling network and security teams to correlate events and identify anomalous behavior. Operationally, this shifted the organization from having little internal traffic visibility to automated detection and blocking of malicious or anomalous DNS behavior, significantly reducing manual log correlation work and improving speed and precision of incident response.

What specific threats did DNS Edge help detect and remediate during the deployment?

During the initial data collection and joint review, DNS Edge identified three primary threat categories: cryptomining (cryptojacking) where infected clients were using corporate compute to mine cryptocurrency; suspicious IoT device beaconing to foreign servers; and DNS tunneling used for potential data exfiltration. DNS Edge enabled the team to map cryptomining activity to individual devices and disrupt communications, reveal source IPs and contextual DNS data for noisy or beaconing IoT devices to guide investigation, and detect and profile DNS tunneling so administrators could distinguish legitimate from malicious tunneling and create granular policies to block or monitor exfiltration.

How did DNS Edge integrate with existing security operations and improve forensic investigations?

DNS Edge produced comprehensive, searchable logs of DNS queries and responses and integrated those logs into the company’s Splunk environment, enabling DNS telemetry to be used as an additional threat indicator in the security team’s single pane of glass. This integration allowed security analysts to ingest and analyze anomalous DNS data enterprise-wide while retaining the ability to enact real-time mitigation from the Edge UI. For forensics, the searchable DNS logs reduced average correlation and investigation time from about eight days to roughly six hours by consolidating DNS data and providing device- and query-level context needed to accelerate evidence collection and remediation.

The Customer

The U.S. logistics company has an annual revenue of nearly $69 billion. If it was a private company, it would rank 43rd in the 2015 Fortune 500 and 137th in the 2015 Global Fortune 500 list. To support its massive operational footprint of nearly 32,000 facilities and over half a million employees, the logistics company has one of the world’s largest computer networks.

Technology is at the center of the company’s business strategy. It uses the world’s most advanced tracking and information systems to speed the flow of mail and packages throughout its network, creating literally billions of data points (and DNS queries) every day. The company leverages advanced data analytics to empower employees and customers, creating new products and services to spur growth.

The logistics company has long recognized the value of DNS to its core network operations. In 2008, the company used BlueCat’s Integrity product to centralize and automate core DNS functions. This streamlined its DNS architecture, dramatically increased the stability of their network, and created the foundation for higher level initiatives such as self-service provisioning and automation. Moving to a centralized DNS architecture also allowed the company to easily implement the DNS-related controls required by NIST 800-53, which the company uses as a guideline.

The Challenge

With a centralized architecture in place, the logistics company began to look at ways that DNS could solve a series of long-standing cybersecurity challenges.

Visibility into internal network traffic

Networking staff deployed a sophisticated set of boundary-level filters and firewalls to control outbound network traffic. Yet underneath that boundary, the internal workings of the network had fewer controls, leaving the company open to advanced persistent threats and the work of malicious insiders.

Data exfiltration

The company had no mechanism to protect itself from data exfiltration through DNS tunneling, a common pathway used by malware.

Guest network visibility

The company runs a separate, walled-off network for on-site contractors, but had no mechanism to monitor or block malicious activity on this network.

Forensic investigations

The network team was often tasked with assisting in forensic investigations by the cybersecurity staff or Inspector General’s office. Combing through data logs and correlating activity across multiple domains was a serious drain on productivity and delayed action on the Inspector General’s significant caseload.

SIEM data

The cybersecurity team uses Splunk as its “single pane of glass” to monitor and act on potential security vulnerabilities. Cybersecurity staff wanted to add DNS data as a threat indicator in Splunk.

The Solution

BlueCat approached IT managers with a proposal to leverage its centrally managed DNS architecture to gain new visibility into patterns of network activity.

BlueCat proposed a pilot deployment of DNS Edge, a client-facing DNS security system. With DNS Edge in place, network administrators would gain full visibility into both internal (“east-west”) and external (“north-south”) DNS traffic. Using that strong source of intelligence, DNS Edge would provide the ability to implement security policies which block, monitor, or redirect DNS queries. The comprehensive logs of DNS information produced by DNS Edge would also make forensic investigations and real-time monitoring of network operations simpler.

In 2018, BlueCat went live with the first implementation phase of DNS Edge on the logistics company’s network. BlueCat also deployed DNS Edge with a Splunk integration, allowing security users to ingest and analyze anomalous DNS data across the enterprise for the first time. BlueCat delivered training to the network and security teams, certifying them in the operation of DNS Edge, use of security policies, and techniques for monitoring malicious network activity.

The Impact

DNS Edge produced immediate results on all of the the logistics company’s targeted initiatives.

Before DNS Edge After DNS Edge
No visibility into internal network traffic DNS Edge monitors ~3.2m internal queries per day; security policies automatically block malicious/anomalous behavior
No mechanism to identify or block data exfiltration through DNS DNS Edge blocks tunneling, domain generating algorithms and other data exfiltration signatures; ~720 blocks per hour
Forensic investigation response time averages eight days due to data correlation challenges Searchable log of all DNS data (queries and responses), allows for correlation of relevant data in an average of six hours
No visibility into activity on the guest network; no ability to enact security policies on the guest network DNS Edge monitors and applies security policies to all devices on the guest network
DNS data not available in Splunk Edge providing relevant DNS data for analysis in Splunk with connection back to real-time mitigation in the Edge UI

DNS Edge Security Findings

Following an initial data collection period, BlueCat and the security team conducted a joint review of anomalies and potential issue areas identified by DNS Edge. This review showed a series of serious threats which required immediate mitigation.

Threat #1: Cryptocurrency Mining

The review of DNS Edge data showed queries to known cryptocurrency mining sites. This was an indication that malware was using the company’s computing resources to produce cryptocurrency, exporting the results to remote servers. The mining operations were highly coordinated and targeted, occurring largely at times of day where use of computing resources were low and the activity less likely to be discovered.

The company’s existing firewall settings were able to treat the symptoms of cryptojacking, but not eliminate the underlying problem. The firewall effectively blocked execution of the cryptomining results back to the remote server based on blacklists applied to payload data.

Yet the firewall failed to block DNS-based command and control functions, and was unable to identify the source IP of infected devices. The clients were still infected and using up valuable computing resources, even if the results of that compute weren’t making it to the outside internet.

With the comprehensive client-facing logs produced by DNS Edge, cybersecurity team was able to quickly associate cryptojacking activity with individual devices and direct its  remediation activity accordingly. With the security policy functions of DNS Edge, the company was able to disrupt the full range of communication between the cryptojacking software
and remote servers.

Threat #2: IoT Devices

The logistics company uses a significant number of  connected devices and sensors as part of its daily operations. These can include everything from mail sorters to security cameras to mobile phones. While these devices increase productivity and provide a great deal of useful data to the enterprise, they also represent a cybersecurity risk.

During the deployment of DNS Edge, the company discovered potentially malicious activity originating from IoT devices. Several devices on their network were constantly beaconing to foreign  servers. This activity may ultimately prove benign (the software could be searching for routine updates) or additional investigation might demonstrate a command and control relationship.

Context is critical to determining whether beaconing activity is malicious or not. DNS Edge provided the company’s networking and cybersecurity staff the information they needed to decide how they were going to treat this activity:

  • DNS Edge provided the source IP address, allowing IT staff to locate which device was beaconing to foreign servers
  • DNS Edge provided the query type, indicating what sort of information the device was seeking
  • DNS Edge provided the response information, which shows how the remote server directed the IoT device

Using this contextual data, the logistics company is now in a position to quickly perform the necessary investigation and mitigate any potential risks to the network.

Threat #3: DNS Tunneling and Exfiltration

DNS tunneling is a method of data transfer which embeds substantive information inside otherwise normal DNS queries. Not all uses of DNS tunneling are malicious – in fact, many anti-virus  software systems use DNS tunneling for updates. Yet DNS tunneling is often used by malware for data exfiltration, and can be difficult to identify. Gaining visibility into the extent of DNS  tunneling and the context around it is critical.

Using DNS Edge, network administrators were able to identify the extent of DNS tunneling activity on their network for the first time. With a  comprehensive view of the source IP, destination, and response from this activity, adminstrators will be able to sort out malicious DNS tunneling from legitimate use.

As a picture of “normal” DNS  tunneling emerges over time, network administrators will be able to compose granular security policies which monitor, block, or redirect suspicious DNS tunneling activity. These security policies close a significant data exfiltration loophole in the network.

Related content

Two network engineers review complex DNS configuration code on multiple monitors in a dim operations room
Content HubResources

Deciding when free or bundled DNS is no longer enough

Wondering when to replace Microsoft DNS or other free DNS services? Learn the real costs, risks, and how to get more from Microsoft DNS without replacing…

Read more
Omdia report cover on enterprise data center and cloud networking for AI, with multicolored data highway leading to a city
Resources

Enterprise Data Center and Cloud Networking: Transforming for AI Success

Enterprise data center and cloud networking Omdia research shows hybrid networks modernized to scale AI workloads and improve observability.

Read more
Two IT professionals review DNS migration plans on a tablet with data and code visualizations overlaid on the screen
Content HubResources

Planning and executing low-risk migrations from legacy DNS platforms and providers

Plan a DNS migration strategy that moves you off legacy DNS with minimal risk. Learn phased cutovers, data cleanup, and how to avoid self-inflicted outages.

Read more
Get insight into your DDI environment with Live DDI Analytics
Content HubResources

Replacing spreadsheet IPAM with automated, API-driven address management

From spreadsheet IPAM to automated address management. API-driven DDI workflows centralize IP data, eliminate manual work, and scale across hybrid networks.

Read more