Machine learning has moved enterprise security forward, allowing for visibility inside the network in order to better understand user behavior. However, malicious actors are using what is done with machine learning on the inside in order to attack the perimeter.
Specifically, these types of attacks include DNS tunneling, attaching to Tor networks, and sending rogue authentication requests to directory services. Tom Gorup, security operations leader for Rook Security, said that in addition to these threats, "In general what we are seeing across the board is phishing, from wire fraud to distribution of malware. Generally we’re seeing scans they're attempting to exploit."
Even though DNS tunneling is not as prominent as it used to be, attackers trust that most people aren’t monitoring their DNS, which "Enables a hacker to bypass proxy servers and firewalls that protect internal data from attack," said Gorup.
Attaching to Tor networks is also becoming more and more painful for blue teams as it is more expensive to defend the environment. Gorup said, "If you don’t see that initial packet, everything else just looks like SSL traffic. Some malware do use Tor, and when they do it, it’s definitely difficult. Depends on how much effort the attacker wants to put into it."
Another threat that requires consistent monitoring is sending authentication requests. "Authentication to directory services enables hackers to learn more about servers on the network, including naming, users, and passwords," said Gorup.
Barry Shteiman, threat research director from Exabeam, said, "When looking at machines, they need to look at the machine's behavior without the requirement of someone actively doing something on it."
From a security standpoint, it's difficult to detect because when a person interacts with machine, that’s a human user doing something to that machine. "Even if a machine does something right or wrong, there’s always a human service that initiates that activity," Shteiman said.
Most often, in a machine that has been breached, it's difficult to discern exactly what happened. "DNS tunneling is a classic threat," said Shteiman. "Someone installs some piece of software on a machine that starts exfiltrating data through a protocol that is used between the server and an IP address."
What hackers came to understand is that DNS is robust. "It includes meta information. Because there are free text fields or hardly a limitation on the length of a domain name, there is room there to input free text. Hackers started to manipulate DNS to exfiltrate data by taking a file and breaking it into chunks, then reconnecting to a file outside of the network," said Shteiman.
Since DNS is a required protocol, these are legitimate things to see happen from a security or network monitoring standpoint. Nothing looks weird. "The machine has the DNS tack that it’s using. The service is on the machine itself. It requires no human interaction. It's common to see these things on closed networks," Shteiman said.
Sign up for CIO Asia eNewsletters.