CIO OPINION
How ransomware uses C2 and DNS for execution
Ransomware attacks have become a significant concern for organisations worldwide, with the frequency and success of these attacks continuing to rise. Once ransomware has infiltrated a company’ s network and begins executing, it utilises Command and Control, C2 communications to download the encryption key to the end host and encrypt the files. This C2 happens over DNS. DNS C2 is a technique used by cybercriminals to communicate with malware that has infected a target system.
Also called beaconing, the malware periodically sends DNS queries to the attacker’ s server to check for new commands. This communication is crucial for controlling the malware and executing malicious activities.
Cybercriminals use DNS for C2 because:
• It is a ubiquitous and essential service in network communications. By embedding commands within DNS queries and responses, attackers can communicate with malware without raising suspicion.
• It provides a level of stealth. Since DNS traffic is usually allowed through firewalls and other security devices, it can be used to hide malicious activities. Attackers can encode commands in DNS queries and responses, making it difficult for security tools to detect and block these communications.
Data exfiltration over DNS is a sophisticated technique that allows attackers to covertly transfer sensitive data out of an organisation by leveraging the DNS protocol. By embedding data in DNS queries, or in other words creating a tunnel over DNS to transfer data, attackers can bypass traditional data loss prevention tools that might block other avenues of data theft.
The most effective way to deal with Ransomware is to prevent users from accessing ransomware domains in the first place. Phishing, one of the most used delivery methods for ransomware, lure users to domains owned by threat actors.
Proactive identification of such domains, even before they are weaponised, is something that DNS threat intelligence excels at, because it can identify when domains are registered for future malicious purposes and block them, on an average of 63 days ahead of attacks.
By monitoring DNS traffic and using DNS threat intelligence, organisations can block C2 communications, preventing the encryption key download and the eventual encryption of data. Blocking C2 at DNS ensures that the session is not even established with the attacker-controlled server, providing mitigation at the earliest possible opportunity.
Detecting data exfiltration over DNS involves monitoring an organisation’ s DNS traffic in real time for unusual patterns, such as high-frequency queries to uncommon domains or queries with high entropy in their names. This behaviour-based analysis can identify data exfiltration to domains even if those domains are not yet categorised as malicious in threat feeds.
Krupa Srivatsan, Senior Director, Cybersecurity Product Marketing at Infoblox
security investments. Organisations can make data-driven choices about which security controls to implement, which technologies to adopt, and how to best allocate their security budgets.
Improved Business Continuity
By identifying and mitigating potential threats, organisations can minimise the impact of cyberattacks on their operations. This can help ensure business continuity, protect critical services, and maintain customer trust.
Considerations for assessments
Frequency
The frequency of assessments should be determined based on the organisation’ s risk tolerance, industry regulations, and the dynamic nature of the threat landscape. Regular assessments, at least annually, are often recommended, with more frequent assessments for high-risk organisations or those undergoing significant changes.
Scope
The scope of assessments should be tailored to the specific needs and circumstances of each organisation. It should cover all critical systems, applications, and data, including on-premises and cloud-based environments.
Methodology
A variety of assessment methodologies can be employed, including vulnerability scanning, penetration testing, risk registers, and threat modelling. The choice of methodology will depend on the specific objectives of the assessment and the resources available.
Expertise
It is essential to involve qualified cybersecurity professionals with the necessary expertise and experience to conduct thorough and effective assessments. This may involve internal security teams, external consultants, or a combination of both.
Continuous monitoring
Regular assessments should be complemented by continuous monitoring and threat intelligence feeds. This ongoing vigilance helps organisations stay abreast of emerging threats and respond quickly to new vulnerabilities. p
40 INTELLIGENTCIO AFRICA www. intelligentcio. com