HerrBullermann - Fotolia
In a presentation at DEF CON 24, Paul Vixie, one of the founders of the Internet Software Consortium, talked about the ways in which domain names are being abused and the data science of looking for patterns. When we met up with him in July, just before the hacking event, he told us about some of his ongoing domain name system (DNS) research.
"First, the domain name was sort of sampled. There were queries to see if it existed, and we see these queries because they are all over the network; and some period of time later, some of those domain names get registered," he explained.
This may be just "domainers" -- advertisers who, because the names are next to others, are trying to grab typo errors and go "halves," noted Vixie. It sometimes leads to spam or is irritating, but it is usually not malicious enough for companies to pay to avoid it.
But to the extent that these patterns are malicious, company names can be predicted, Vixie said. "You can predict the creation of a negative name by only looking at the negative results, and this tells you what [would happen] if it didn't exist, so this is doing science using our data as a primary source."
After an early stint at Digital Equipment Corp., Vixie primarily focused on the dynamics of the internet through his work at several companies, nonprofits and groundbreaking projects, such as the widely used Berkeley Internet Name Domain (BIND). Currently the founder and CEO of Farsight Security, his team is developing DNS-related security services using data waterfall techniques. We asked Vixie about the technology behind the DNS services and his take on internet challenges that enterprises face as top executives home in on digital transformations and security.
Can you provide a little background on the company and why it is developing these DNS services now?
Farsight has been independent of its corporate origin for three years now. And in that time, we have continued to develop the technology that we started with before the management buyout, and the flagship of that has always been a database which is called DNSDB. And while that has a lot of acceptance in the market -- we even have some competitors now -- the foundation has always been the real-time framework that underlies the database. So we have continued to enhance the real-time aspect -- the various feeds and filtering and the real-time event grabbing that we can do that is all happening through the substrate of the company's exchange that makes the database possible and makes various real-time feeds possible. So, in one way, we are moving from primarily a data-at-rest portfolio to a combined data-at-rest and data-in-motion portfolio.
Technically, how are you accomplishing that?
The real-time substrate that I spoke of is called the Security Information Exchange, and it was originally built to be a real-time multichannel fabric for sharing either one-to-many or many-to-many events. We are not file based and not database based, and we have no data legs in that sense. What we have is a data waterfall. When we wish to add a new type of feed, then it is a matter of figuring out what we are already doing and where we can most advantageously tap into the real-time data as it streams through our infrastructure, and then [we] simply divert it and add a couple of more waterfall stages in order to create whatever new product it is that we are shooting for.
So far, we've proven this to work with the newly observed domain feed that we launched a couple of years ago, and now we are adding new ways to take advantage of our global filter without necessarily having to connect directly to our network and, essentially, drink from the fire hose.
When you look at enterprises today, what are some of the attack trends and DNS issues that CISOs and senior security management should be aware of?
Attacks against the enterprise are getting more targeted. We are not just seeing the low-hanging events, like doing a simple port scan and attacking whatever they can break into. That is still happening, but that is not 100% of the attack flow. There is a certain amount of surveillance; if they were burglars, we would say they were casing the joint before they try and break in.
So that has led to a lot of very specific attacks involving some enterprises' staff or relationships among the staff or enterprise resources such as their domain names, their IP address blocks. That change is leading to a defense where companies are no longer feeling that they are able to outsource their own defense, pay some services company to come in and install a bunch of firewalls and monitor them for us, please. That is still happening, but that is not the growth trend.
The trend now is that these companies are building their own security operations center, [regardless of their size]. They are buying not just holes but also shovels. In other words, they are doing in-house integration. They are even commissioning custom tools; sometimes, they are hiring toolmakers rather than security operators.
And this all flows from the fact that the attacks are no longer a general condition; they are specific against that enterprise. And risk management, when you are targeted, requires a lot more thought at the executive-team level. Management has to get into deciding what the company's risk posture is going to be.
Paul Vixiefounder and CEO, Farsight Security
I have always assumed that the domain was the final frontier. Companies had security postures that involved either outsourcing or data lakes -- and the idea with data lakes was to wait until the stored information shows a pattern that you can do something about; then you learn rapid turnaround and take down bad guys' assets, for example, in 10 minutes. Bad guys are going to figure out how to get their whole job done in five minutes, so we are going to have a race to the bottom in terms of [a] time window -- between when the attack is constructed and executed and when you have to have defended against it -- or else your defense will have no operable impact on your outcome. So we live in the here; we live in the now. Our technology is designed to let somebody operate in the sub-minute time frame once they are ready to make the investment in data waterfalls instead of data lakes.
When you say you're able to see illicit use of brand names and DNS assets in real time, how quickly are you passing that information along to an enterprise?
Well, at the moment, our alerts could be delayed by almost 30 seconds in some cases. We have a team working on pulling that delay out because I think 30 seconds is an ocean of time from the bad guys' point of view. But that is just an artifact of some of the choices that we made early on with the company. We are working on that.
Is the primary role to alert the companies to the anomalies or do you offer any type of incident response or advisory services based on what you are seeing?
We are currently not in the incident response or take-down segments. We certainly do offer advice, but that would more often come in the form of training than it would in incident response.
For these types of DNS services, what are the resources that are required in terms of staff and technology?
Well, that is very flexible. Someone will get maximum value from these new DNS services if they have already invested in some SIEM [security information and event management] or some kind of orchestration product. So if they have Splunk or they have ArcSight or they have something that has a plug-in interface that we can talk to, then they will already have the framework that they need to say 'Oh, it's another data source, and this is how we determine availability, and this is what we do when we get an alert from that service.' If you don't have that workflow and you have not made an investment, then we will still have a way to deliver alerts to you using what I would call lower-echelon methods, like email, sys log or something like that.
One of things that we often hear about SIEM and some other complex installations is that people are not using that technology to the fullest, and one of the issues is a lack of tuning and resources to run these systems. Is that something that you have come across?
It is not just SIEMs. I think a lot of companies that are worried about risk management in the internet field are making investments where they don't necessarily understand that a capital investment has got to be backed up by some staff or some management from the exec team. So we do see some orphaned security operations centers that have been well-equipped with modern tools but are then without the necessary training or staffing to actually tune things and make that investment attractive. That is not what we usually see, but we see it often enough to be worried about it.
Do you attribute some of that to boards becoming aware of information security and requiring more justification in terms of the funding? They want to see results quickly, and if they don't, there are some resource issues related to that.
Boards are primarily fiduciary in nature, and [I think] that they are by and large going to worry about whatever the industry segment worries about. It is very difficult to be an independent board member coming in and saying, 'Hey, there is this whole other thing that is happening out there that you need to be focusing some resources on,' even though no one else in this industry is doing so. That is just the limitation of the job because this is the structure of the fiduciary body.
That having been said, the investment that you are describing is happening. For example: banks. I guess 20 or 30 years ago, the culture of the banks was to say, 'Hey, we are a money company; we have a whole bunch of financial instruments and cash and all these vaults all over the place, and that is what we have to protect. But we are primarily a money company, and we happen to have an IT function that helps us do our money-based job for our customers.' And that's changing: These companies are beginning to see themselves as IT companies who happen to have some vaults, and they are beginning to make sure the c-level team -- not just the CTO or the CIO, but the whole c-level team -- has a certain level of IT background so that they can swim in the new waters.
DNS co-creator Paul Mockapetris discusses security challenges
The pros and cons of third-party DNS providers
Internet pioneer Paul Vixie talks about IPv6 security
Dig Deeper on Real-time network monitoring and forensics
Inside 'Master134': More ad networks tied to malvertising campaign
Paul Vixie wants to stop malicious domains before they're created
NotPetya ransomware trend moving toward sophistication
HTTPS interception, middlebox models under fire