Brian Foster CTO Damballa

The epitaph for Q1 2014 reads like this: Here lies the hope that security prevention is infallible. Major retailers succumb in the battle against network infections that go undetected.

High-profile security breaches impacting Neiman Marcus, Target, Michaels and White Lodging dominat- ed the headlines early in 2014 for good reason. Hundreds of millions of data records were stolen1. Clean- up costs could reach into the billions2.

The victim companies were compromised for weeks or months before knowing it:

• Michael’s: May 8, 2013 – January 27, 2014
• Neiman Marcus: July 16 - October 16, 2013
• Target: November 27 – December 15, 2013
• White Lodging: March 20 – December 16, 2013

Bystanders may think it’s outrageous that a breach could go undetected for months. Main-stream media has certainly stirred the pot with stories about security teamsi gnoring alerts. But the people engaged in daily hand-to-hand combat know that an alert doesn’t equal an infection – and that’s part of the problem.

A human must correlate an alert with other logged activity to determine whether or not a device is infected. The time it takes to gather evidence and remediate creates a gap between when an infection occurs and when the enterprise can respond, and that’s when damage can be done.

Damballa’s Q1 2014 State of Infections Report demonstrates how the sheer volume of activity puts security and response teams between a rock and a hard place. The report highlights how breaches like Target, Neiman Marcus and others are not only possible but probable given today’s threat challenges.

According to Brian Foster, CTO of Damballa, "Damballa’s Q1 2014 State of Infections Report demonstrates how the sheer volume of activity puts security and response teams between a rock and a hard place, as these breaches are not only possible but probable given today’s threat challenges.  Alerts from security controls are ambiguous and when every thing is an alert, the scenario of the “Boy Who Cried Wolf” quickly becomes a reality.  Security teams must be able to automate infection ‘hunting’ and prioritize their response. Otherwise they will find the wolf is already inside their network.  Traditional IT security controls can’t stop today’s threats. Organizations need to automate labor-intensive processes, like alert-chasing, and focus on discovering successful infections and triage the devices under the most risk.”

Internet Traffic and Domain Activity - A Fluxing Situation
In North America, Damballa sees nearly 50% of all Internet traffic and 33% of mobile traffic. We also monitor large volumes of traffic from global Internet Service Providers and enterprise customers.

Every day, Damballa observes devices contacting an average of 411 million top-level internet domains. Since January 1, 2014, we observed more than 146 million distinct second-level domains, of which an average of 700,000 were new. Of those new domains, 55% were only seen on the day in which they first appeared.

What do the numbers tell?
On the surface it’s impossible to interpret anything from this huge volume of activity. There are too many unknowns, including, how many of the ~700,000 new second-level domains established daily were legitimate versus illegitimate? If 55% of new domains were only seen for a day, how likely is it that they are malicious? To give context to these questions, consider how sophisticated threat actors operate.

Domain generation algorthims (DGA) are a good example of how threat actors manipulate (flux) domains to carry out their operations. Using this technique, the threat actor constantly changes the domain name of the Command & Control (C&C) server. It’s nearly impossible for security teams to block this activity even with a slew of prevention devices because you can’t blacklist a C&C domain that is dynamically generated and only lives for a short time.

Malware Sandboxing will yield nothing useful for blocking purposes because the domain is used once and thrown away. When the initial infection reaches the C&C server, subsequent malware updates would probably be encrypted to avoid dynamic file analysis.

Diving deeper, domain fluxing works like this. Infected devices use a DGA to create thousands of random domain names. The idea behind DGA is that if two parties (victim and threat actor) have the same algorithm and use the same input, the output will also be the same. So after a device becomes infected with DGA malware:

It is programmed to go to a legitimate web site to retrieve a piece of information. On the same day, the threat actor also visits the site and retrieves the same piece of information.

The input received goes into the algorithm and it generates - let’s say - 1,000 random domain names. The threat actor inputs the same data into the algorithm and generates the same 1,000 random domain names. He picks one of the 1,000 and registers it with an IP address.

The infected device queries a DNS server for all 1000 domains. 999 of them will return a non-existent (NX) domain response, meaning no IP address, but the one domain registered by the threat actor will have an IP address.

The infected device can now connect to the C&C server using the one “live” domain with an IP address.

With the connection, the threat actor can have a session with the infected device to provide new instructions, receive exfiltrated data, or update the malware with new configurations – perhaps even changing the location of the input seed.

The cycle starts again the next day between the infected device and the threat actor.