By offering industry leading coverage across every major DNS-layer attack category, Palo Alto Networks’ DNS security service is the most comprehensive DNS security solution available. With our Pan-OS Nebula release, we expanded our coverage against the latest and most sophisticated DNS-layer threats and introduced a number of industry-first detections for threats such as Compromised DNS Zone, Strategically Aged Domains, Wildcard DNS Abuse, CNAME Cloaking, and DNS Infiltration.
In this post, we’ll take a deeper look into the Compromised DNS zone and how we can protect our customers against it.
What is a Compromised DNS Zone and why do attackers use it?
When using domains as part of an attack campaign, attackers commonly purchase new apex domains from domain registrars. They then set up malicious contents on these newly purchased domains. However, this practice has several disadvantages. Newly registered domains usually don’t have the reputation that would allow them to pass through security defenses, or they may even have a bad reputation and can then be easily blocked by reputation based detectors. Most of these domains have random characters or meaningless words in their names. This is to reduce the cost as adversaries usually need to register many domains for their attack campaign. But using these random pattern domains can come off as suspicious traffic behavior which can be easily detected.
To avoid detection, attackers have recently started to adopt a new technique called domain shadowing. Instead of registering new domains, attackers start to compromise legitimate domains and create malicious subdomains under them. This has rendered existing detection systems ineffective because the shadowed subdomains inherit the reputation of the compromised legitimate parent domains. This gives attackers the ability to create an unlimited number of malicious subdomains with meaningful words at absolutely no cost to them. These domains are then used to launch phishing and malware attacks to gain access to unsuspecting users’ information.
What does a Compromised DNS Zone attack look like?
The first step in a generic malicious exploitation campaign is to gather as much user traffic as possible. Common methods include various forms of spam and malicious advertising (malvertisement). In case of malvertisement, a user visiting a benign website could be automatically redirected to a malicious landing page. In case of a spam email, users usually need to click on a link to be redirected to a malicious landing page. The malicious landing page then would host a phishing page or an exploit kit like Angler, an exploit Kit could be used for various nefarious purposes, including ransomware, click fraud and keyloggers.
In the case of a campaign distributing the Angler Exploit Kit, shadowed domains were used as intermediary redirector nodes between the malicious landing page and the initial page visited by users. They were used for a short time and were hard to detect by traditional detection techniques due to their inherited benign reputation. Additionally, shadowed domains can be used to host the malicious phishing or landing pages themselves.
Attackers can compromise DNS zones by either stealing the zone owners' access credentials at registrars or DNS services managing their zone. Alternatively, attackers can compromise the DNS servers hosting the zone files directly.
How does a detection engine with ML models help identify, detect and prevent attacks due to compromised sub-domains?
Existing solutions building on reputation engines are ineffective for shadowed domains, and identifying domains by tracking malicious campaigns is too slow and labor-intensive. To address issues with current industry detection techniques, we developed a fully automated machine learning pipeline building on properties of shadowed domains.
We train a machine learning model using a list of known shadowed domains and a large number of benign domains. We generate over three hundred features about candidate shadowed domains processing tens of terabytes of DNS record logs (passive DNS dataset) every day. Examples of subdomain-related features are IP deviations from the root domain, length and entropy of subdomain, and the popularity of the subdomain. Features related to attacker’s IP include average IP deviation of subdomains using this IP, subdomains’ similarity to each other, and ratio of apex to subdomain counts. Features related to the compromised zone include the average IP count for subdomains, average number of days created after the root domain and the average length of the subdomains. Leveraging these features, our classifier can distinguish benign and compromised subdomains with high precision and recall.
To understand the thought process that goes behind building these detection engines, let’s go through a real life example. As shown in figure-1, App-garden.com is the compromised legitimate domain. Attackers host ransomware on a shadowed domain aaa.app-garden.com. In order to redirect users’ traffic to the shadowed domain, attackers can either compromise other well-known websites or use malicious advertisements. By inspecting the profile of the shadowed domain, we find that app-garden.com has been registered since 2011 and it will not expire until 2022. And the data from Internet archive shows that app-garden.com has been active at least since 2013. Therefore, we have a strong confidence to consider app-garden as a legitimate domain. Motivated by our observations from real life cases, we design and implement the domain shadowing detector based on a few key observations.
First, the shadowed domains are usually deviated from their legitimate siblings. Attackers use their own infrastructure to serve malicious code or webpages. As a result the attacker's IP address is likely different from the victim’s IP address so we can observe this difference in the IP addresses used and possibly in their geolocation. Second, a further look into shadowed IP addresses reveals that many other shadowed domains under multiple different apex domains are hosted on the same IP. Obviously, shadowed domains in the same campaigns are correlated. Third, many of these subdomains will be activated around the same time serving in the same malicious campaign. And finally, subdomains generated by attackers often follow a similar pattern and are quite different from benign subdomains.
All these advanced analytics come together to ensure that only malicious compromised sub-domains are blocked in real time with high confidence.
When will Compromised DNS Zone detection be available in DNS Security?
Compromised DNS Zone detection is released in real-time under the DNS Malware category which is part of the PAN-OS 10.0 release. So, customers with PAN-OS 10.0 or later are able to benefit from this new detection. They can sinkhole, block, or alert this detection based on their policy for handling Malware.