Nearly Half of Enterprise Networks Show Evidence of DNS Tunneling, According to Infoblox Security Assessments
Santa Clara, Calif. -
Infoblox Inc. (NYSE:BLOX), the network control company, today announced results of the Infoblox Security Assessment Report for the second quarter of 2016, which finds that 40 percent—nearly half—of files tested by Infoblox show evidence of DNS tunneling, a significant security threat that can indicate active malware or ongoing data exfiltration within an organization’s network.
Infoblox, an industry leader in securing Domain Name System (DNS) infrastructure, offers free security assessments to customers and prospective customers, identifying outbound DNS queries inside an organization’s network that are attempting to reach known malicious or suspicious Internet locations (hostname). External threat data from these evaluations is anonymized and aggregated to produce the Infoblox Security Assessment Report.
In the second quarter of 2016, 559 files capturing DNS traffic were uploaded to Infoblox for assessment, coming from 248 customers across a wide range of industries and geographies. Infoblox found 66 percent of the files showed evidence of suspicious DNS activity.
One indicator that stands out in the second quarter report is the prevalence of DNS tunneling. Cybercriminals know that DNS is a well-established and trusted protocol, and have figured out that many organizations do not examine their DNS traffic for malicious activity.
DNS tunneling enables these cybercriminals to insert malware or pass stolen information into DNS queries, creating a covert communication channel that bypasses most firewalls. While there are quasi-legitimate uses of DNS tunneling, many instances of tunneling are malicious. There are also several off-the-shelf tunneling toolkits readily available on the Internet, so hackers don’t always need technical sophistication to mount DNS tunneling attacks. At the same time, DNS tunneling is often part of very sophisticated attacks, including those sponsored or directly managed by nation states. For example, the recently uncovered Project Sauron—a particularly advanced threat that is considered likely to have been sponsored by a government—uses DNS tunneling for data exfiltration.
“In the physical world, burglars will go to the back door when you’ve reinforced and locked the front door. When you then secure the back door, they’ll climb in through a window,” said Rod Rasmussen, vice president of cybersecurity at Infoblox. “Cybersecurity is much the same. The widespread evidence of DNS tunneling uncovered by the Infoblox Security Assessment Report for the second quarter of 2016 shows cybercriminals at all levels are fully aware of the opportunity. Organizations can’t be fully secure unless they have tools in place to discover and prevent DNS tunneling.”
Among the specific security threats uncovered by Infoblox during the second quarter, ranked by percentage, are:
- Protocol anomalies – 48%
- DNS tunneling – 40%
- Botnets – 35%
- Amplification and reflection traffic – 17%
- Distributed denial of service (DDoS) traffic – 14%
- Ransomware – 13%
“While these threats are serious, DNS can also be a powerful security enforcement point within the network,’ said Rasmussen. “When suspicious DNS activity is detected, network administrators and security teams can use this information to quickly identify and remediate infected devices—and can use DNS firewalling as well to prevent malware inside the network from communicating with command-and-control servers.”
Infoblox delivers Actionable Network Intelligence through advanced technologies that analyze DNS traffic to help prevent data exfiltration; disrupt advanced persistent threat (APT) and malware communications; and provide context around attacks and infections on the network. More information on Infoblox security solutions is available at www.infoblox.com/security.
The full Infoblox Security Assessment Report for the second quarter of 2016 is available at www.infoblox.com/resources/report/infoblox-security-assessment-report-2016-q2.pdf. Organizations seeking a free Infoblox security assessment should visit www.infoblox.com/free-malware-report.
Infoblox (NYSE:BLOX) delivers Actionable Network Intelligence to enterprise, government, and service provider customers around the world. As the industry leader in DNS, DHCP, and IP address management, the category known as DDI, Infoblox (www.infoblox.com) provides control and security from the core—empowering thousands of organizations to increase efficiency and visibility, reduce risk, and improve customer experience.
Forward-looking and Cautionary Statements—Infoblox
Certain statements in this release are forward-looking statements, which involve a number of risks and uncertainties that could cause actual results to differ materially from those in such forward-looking statements. As such, this release is subject to the safe harbors created by U.S. Federal Securities Laws. The risks and uncertainties relating to these statements include, but are not limited to, risks that there may be design flaws in the company’s products, shifts in customer demand and the IT services market in general, shifts in strategic relationships, delays in the ability to deliver products, or announcements by competitors. These and other risks may be detailed from time to time in Infoblox’s periodic reports filed with the Securities and Exchange Commission, copies of which may be obtained from www.sec.gov. Infoblox is under no obligation to (and expressly disclaims any such obligation to) update or alter its forward-looking statements whether as a result of new information, future events, or otherwise.