Palo Alto Networks Advanced DNS Security Launches New Detection: DNS Traffic Profiling

Palo Alto Networks Advanced DNS Security introduces new detection, DNS Traffic Profiling. This new detection is part of the Command-and-Control (C2) Domains category, and is enabled by default.  

What is DNS Traffic Profiling and Why Does it Matter?

As cyberattacks become more sophisticated and increase in scale, traditional DNS security measures are often found lacking in their ability to detect threats concealed within DNS traffic. The limitations of existing signatures and malicious databases are becoming increasingly apparent, as they are not scalable and quickly become outdated due to the rapid rate at which new malicious domains are created and registered.

DNS Traffic Profiling is a powerful detection mechanism that compares and analyzes users' emerging DNS traffic trends with known malicious and benign traffic patterns. It's particularly effective in uncovering new, unexpected, suspicious, and malicious domains and compromised host activities, providing security teams with crucial insights into changes in their network’s behavior and enabling them to stop malicious activities in real time.

In addition to protection against various DNS-layered attack techniques, the new DNS Traffic Profiling detection, part of the Advanced DNS security solution, enhances threat detection and bolsters organization defense against abuse of their DNS traffic. In May 2024 alone, the DNS Traffic Profiling detection identified 170 suspicious domains and blocked 374,000 malicious DNS requests daily.

Case Study: DNS Traffic Profiling

Palo Alto Networks DNS Traffic Profiling detector discovered the DNS traffic patterns for malicious squatting domains, a typo squatting domain mimicking a popular telecommunications company. Attackers registered comcadt[.]net, hoping victims will make a typo when trying to reach their site. Our detector identified a strong correlation between squatting and fast-flux domain traffic based on DNS request and response traffic patterns, and found that more than 50 malicious IP addresses hosted this domain.

Reference: https://unit42.paloaltonetworks.com/profiling-detecting-malicious-dns-traffic/

How Does a DNS Traffic Profiling Help Identify, Detect and Prevent Attacks?

Palo Alto Networks employs advanced technology to combat cyberthreats by analyzing network traffic patterns. Each type of attack typically exhibits a distinct traffic pattern, which not only serves its malicious intent but also tries to bypass security measures. Our approach centers on DNS traffic profiling, which involves a detailed analysis of DNS traffic for both the domains and devices involved. We collect this information over time, tracking how it changes while adapting to new patterns. To efficiently handle this complex data, we use cutting-edge specialized ML methods to process sequential data, ideal for time series patterns like DNS traffic.

Once we've established a traffic profile of regular DNS activity, our cloud inline Deep Learning system comes into action. It utilizes an array of algorithms ranging from classification and clustering to anomaly detection, in addition to other detection categories. These algorithms work together to sift through benign and malicious traffic, and when new suspicious traffic patterns emerge, our classifier quickly detects potential threats. Palo Alto Networks NGFWs and Prisma Access immediately block these malicious domains and are constantly updated through our Cloud-Delivered Security Services.

We also group related threats using clustering, making it easier to shut down entire malicious operations. Below are examples of how we catch some novel threats:

• Dynamic DNS: Attackers abuse Dynamic DNS to frequently change IP addresses and set shorter time-to-live (TTL), a red flag we monitor closely in traffic patterns that shows a steady flow of traffic with minimal spikes.
• Command-and-Control (C2): Malware often stays dormant for an extended period of time and then wakes to check in (heartbeat traffic) with its C2 server - We observe that the C2 domain receives requests peak once daily with relatively stable gaps, which matches the malicious network activity of trojans. 

We're also looking for anomalies in DNS traffic trends, as these can signal suspicious activity. For instance, if there are an unusually high number of requests to a domain such as run[.]sh from a single device, and this trend is consistent over 24 hours, it may indicate a programmed attack rather than normal human behavior. The DNS Traffic Profiling detection leverages these strategies to uncover and block sophisticated, evolving threats as they happen, keeping networks secure. For detailed information on DNS Traffic Profiling, visit the blog Profiling and Detecting Malicious DNS Traffic.

When Will the DNS Traffic Profiling Detection Be Available in DNS Security?

DNS Traffic Profiling is released as part of the PAN-OS 11.2 release. Customers with PAN-OS 11.2 or later are able to benefit from this new detection through a simple content update. No configuration changes or actions are required by customers, as it is enabled by default.

Below is the snippet of how DNS Traffic Profiling detection entries appear in the threat log of the firewall: