Data Theft: Why Firewalls Alone Cannot Protect You

Who nowadays is not worried their data will be used without their permission? Recent major data breaches, from Equifax to Facebook have accentuated consumer fears, and the introduction of data protection laws across all continents (GDPR in Europe, for example) are stressing out Data Protection Officers. The one bright light is that enterprises are finally realizing that legacy systems alone are inadequate for preventing data theft, and so are turning to more holistic approaches involving, in particular, innovative solutions offering real-time analytics of network traffic.

Peripheral vision limits your chances of threat detection

Data exfiltration can be extremely difficult to detect as it often closely resembles typical network traffic, meaning incidents only become noticed long after exfiltration has already been achieved. DNS is recognized as one of the most discrete options for cyber criminals to carry out data exfiltration as DNS traffic is not often analyzed (by 68% of companies – Cisco 2016 Security Report) and is difficult to efficiently track with existing network inspection tools, especially considering the high volume of DNS traffic. The DNS protocol is therefore manipulated to act either as a tunneling protocol or as a ‘file transfer’ protocol. The consequences are huge – loss of sensitive data/ intellectual property, severe corporate brand damage, and customer churn.

Firewalls, by design, are ineffective against data theft – simply blacklisting a remote malicious IP will do little to prevent DNS exfiltration in your network. Traditional detection algorithms focus only on DNS packet frequency, payload, data encoding, or entropy of the requests. Whilst this has the benefit of easily filtering part of the malicious traffic, it is extremely resource-consuming and easily abused, leaving you blind to advanced DNS attacks.

Standard security solutions such as next-gen firewalls, anti-DoS and IPS also have no insight of DNS query exchange sequences across cache and recursive functions, making it impossible to understand client context. This peripheral analysis will never provide enough information to identify DNS tunneling, allowing confidential data to be exfiltrated without triggering any alarms – a point validated by the fact that 28% of companies were victims of data theft via DNS in the past 12 months (2018 Coleman Parkes DNS Threat Survey). It’s easy to check how weakly your firewall protects you – just buy one of the hacker tools available on the web – they’ll enable passing through even next-gen firewalls.

Of equal importance, the countermeasures offered are limited to merely blocking traffic or dropping suspect queries from suspected IP addresses. As this leads to legitimate traffic also being blocked, your business operations and bottom line risk being significantly impacted.

Most businesses using legacy solutions don’t even know that data is being exfiltrated until it is too late. But fortunately, real-time analytical solutions have become available to help detect & mitigate data theft attempts.

Getting to the heart of the problem

The DNS protocol allows for a huge variety of queries to be exchanged between a client’s device and external servers. Although this facilitates data exfiltration, such queries look atypical compared with normal traffic when they are viewed between DNS cache and recursive functions. So by embedding a security layer at the heart of the protocol in the DNS server itself, you’re able to get real-time, context-aware threat detection and remediation.

Using real-time DNS transaction inspection allows network managers to assess the validity and correctness of DNS traffic in the specific context of each enterprise. Overcoming the peripheral traffic visibility limitations of signature-based security systems is the key for delivering true DNS analytics and behavioral threat detection capabilities. A powerful, adaptive base of intelligence can be built up around DNS services meaning that suspect client activity can be detected even before the related domain has been specified as being malicious. It also helps eliminate risks of blocking legitimate traffic, as legitimate customers and malicious actors can be differentiated.

While data-loss prevention (DLP) solutions protect against data leakage via email, web, FTP etc. by monitoring data, they never consider DNS-based exfiltration. This gap needs to be closed in order to prevent DNS from being used as a back door for data theft. By building intelligent detection capabilities directly into the DNS infrastructure, both sets of information gathered can then be sent to SIEM to provide enhanced reporting.

For countering exfiltration, threat response efficiency can be improved using near real-time threat intelligence, and further enhanced with external security feeds such as SURBL which provide security intelligence from global traffic analysis, leveraging machine learning and predictive analytics – once a threat is detected, even locally, it’s always interesting to sync all security devices accordingly. This global approach helps security operations take the best course of action for mitigation.

Furthermore, when integrated with the network security ecosystem, IP data provided can help find and isolate suspicious clients. Tight integration between detection technologies and endpoint remediation solutions or NACs, such as Cisco ISE, provide indicators of compromise (IOC) when an endpoint is trying to exfiltrate data. The malicious process can automatically be banned from future execution/connection, infected endpoints (even those outside the enterprise) quarantined and data theft prevented.

Looking beyond traditional solutions to protect your network

It is becoming increasingly evident that organizations aiming to address growing network risks need to monitor DNS communications, recognize unusual or malicious activity, and inform the broader security ecosystem to protect against the lateral movement of threats.

As shown in the aforementioned threat survey, businesses globally are starting to look beyond traditional security solutions which have proven to be ineffective against data exfiltration via DNS, with many (38%) prioritizing real-time monitoring and analysis of DNS traffic. Even attacks trying to stay under the radar will be detected rapidly, helping ensure regulatory compliance and avoid brand and financial damage for your company. So why would you keep relying only on your firewalls to protect you?