Cygna Labs
Book a Demo
shield

N3K becomes Cygna Labs Germany

  1. Home

  2. Blog

  3. Detect APT Activity via DNS

Detect APT Activity via DNS

Timothy Rooney

Timothy Rooney

Jun 19, 2023

Detect APT Activity via DNS

Cyberthreat actors often use advanced Persistent Threats (APTs) to desecrate the integrity of your network and your brand reputation. APTs are sophisticated malware that gain access to an internal network device via phishing or other coercive malware infiltration tactics, then stealthily seek other attractive targets via discovery and lateral movement. Stealth stratagems include lengthy idle periods of inactivity and employing varying schemes for discovery and infiltration to avoid characterization and detection.

APTs use of DNS

A variety of techniques may be pre-programmed within the malware, and it may contact the malware author’s site via the Internet for software updates specifying new tasks to perform. Among the tasks might be the transmission of captured sensitive data to the malware author’s site for exploitation. One means by which APT’s may achieve this objective is through the exfiltration of data using the DNS protocol, which by necessity is freely permitted through firewalls. While DNS servers are critical to proper network operation, they’ve long been considered innocuous from a security standpoint. But unless you’re monitoring DNS protocol transactions, your DNS could be serving as a primary vehicle for nefarious purposes to your detriment. But you can defend yourself! Monitoring DNS transactions can help you identify not only DNS queries to suspicious name servers for domain names of ill-repute which enable the APT to locate the author’s site, but also potential encoded transfer of your data out of your network. A DNS firewall can help in the case of identifying malicious DNS queries. And DNS tunneling detection can assist in the detection and termination of DNS tunnels.

DNS Tunnel Detection for QIP Customers

Protect your network from DNS tunnel attacks with Cygna Radar. Cygna Radar monitors DNS transactions to detect DNS tunnels, which are added to the block list of the server’s response policy zone (RPZ) to drop the tunnel packets. Detected DNS tunnels are summarized for viewing in the Radar user interface, with the severity indicating the level of confidence in the detection. Individual tunnels may be managed to modify severities, set an expiration time to remove the response policy from the server, or to change the RPZ policy for the suspected tunnel in accordance with standard RPZ policies.

The Cygna Radar package is a new package that can be installed on your VitalQIP DNS and DHCP appliances. Transaction data can be viewed centrally through the Cygna Radar central server software. Access one or more appliance nodes to view DHCP and DNS transactions for analysis. You can also filter DHCP data to search for a particular IP address, MAC address, DHCP Unique Identifier (DUID), Identity Association Identifier (IAID), FQDN and message type and DNS data by client or server IP address, port, protocol, or pairwise connections, among other attributes.

Cygna Radar also enables logging of the DHCP and DNS transactions to a third-party SIEM system for correlation and persistent storage within the SIEM system. You may also filter logged traffic based on message types for example to reduce expenses associated with the volume of data transmitted to and stored in the SIEM. Note that Diamond IP Sapphire appliances also support DNS tunneling detection and shutdown, so whether you’re using VitalQIP or Diamond IP, you’re protected from malware queries and tunnels. To learn more about Cygna Radar please refer to https://cygnalabs.com/en/vitalqip-cygna-radar/.