Finding the malware needle in the DNS haystack

When it comes to malware, finding known threats is one thing. Pinpointing unknown threats is a whole different matter, like searching blind for a needle in a haystack.

It's an impossible task, maybe, until someone hands you a magnet.

HP, touting itself as the magnet-inventor, debuted a tool at its HP Protect event earlier this month aimed at better identifying new malware threats.

"HP's crack naming team" made the tool's functionality eminently clear, joked Mike Armistead, vice president and general manager of HP Enterprise Security Products, ArcSight.

"DNS. Malware. Analytics," Armistead said. "It uses analytics to find malware from the domain name server event stream."

HP's DNS Malware Analytics (DMA) processes the torrent of outbound DNS traffic an organization produces every day to identify those moments when newly-planted (or long-dormant) malware "calls home," Armistead explained.

It's a big job, and one the Homeland Security Department has been working toward for some time.

Einstein, the DHS security engine, has long relied on prior knowledge to spot threats: Threat signatures must be loaded into its system before it recognizes similar malware across federal networks.

Current DHS officials told FCW that the department is in the preliminary stages of testing and proving a DNS traffic monitoring solution within Einstein – but wants to take the time to make sure it gets it right.

Chris Cummiskey, DHS's acting undersecretary for management until this past November, noted that effective security requires a "whole stack of technology," and said that DHS has long wanted to add outbound DNS traffic monitoring to Einstein's capabilities.

"It certainly has to be a part of the equation," he said, noting that with the Office of Personnel Management breach, hackers were essentially "packing suitcases of data and moving it out for exfiltration over time." Perhaps outbound traffic monitoring, or better analysis of anomalous behaviors in OPM's systems, could have caught the intrusion earlier, he said.

HP, however, pledges that such improved analysis is already there.

"In all of the cases of breaches we see with the government, it's a new derivative, it's something new that was placed there that that [a malware detecting] client can't see," said Rob Roy, HP's federal CTO. "What can see it? The traffic that's going in and out."

When it comes to DNS traffic, Roy and others noted that 99 percent of it is benign and expected.

DMA exists to "hone in on the 1 percent of [DNS] traffic that is potentially bad and identify infected hosts," said Sue Barsamian, HP's security SVP.

"If I could show you where the needle was, you wouldn't need to look through the hay," Roy said, going back to the age-old analogy. "You're not picking [the haystack] apart by hand, but maybe using a magnet. That's the DNS Malware application."

Identifying, analyzing and quickly blocking outbound communication in the 1 percent of potentially malicious instances is key, as it could enable organizations to shut down previously unknown malware threats.

One of the biggest obstacles, of course, has been scale: Any sizable organization produces enormous amounts of DNS traffic. But HP, producer of 25 billion events per day on its own networks, said it's ready.

"We did it to ourselves and we have one of the largest networks on the planet," Roy said.

DMA became available Sept. 15, with commercial pricing starting at $80,000 annually to analyze up to 5 million DNS packets per day.

About the Author

Zach Noble is a staff writer covering digital citizen services, workforce issues and a range of civilian federal agencies.

Before joining FCW in 2015, Noble served as assistant editor at the viral news site TheBlaze, where he wrote a mix of business, political and breaking news stories and managed weekend news coverage. He has also written for online and print publications including The Washington Free Beacon, The Santa Barbara News-Press, The Federalist and Washington Technology.

Noble is a graduate of Saint Vincent College, where he studied English, economics and mathematics.

Click here for previous articles by Noble, or connect with him on Twitter: @thezachnoble.


  • Cybersecurity
    malware detection (Alexander Yakimov/

    Microsoft targets copycat influence websites

    Microsoft went to court to take down websites it believes to be part of a foreign intelligence operation targeting conservative think tanks and the U.S. Senate.

  • Cybersecurity
    secure network

    FAA explores shifting its network to FISMA high

    The Federal Aviation Administration is exploring an upgrade to the information security categorization of IT systems as part of air traffic control modernization.

  • Cybersecurity
    Shutterstock photo id 669226093 By Gorodenkoff

    The disinformation game

    The federal government is poised to bring new tools and strategies to bear in the fight against foreign-backed online disinformation campaigns, but how and when they choose to act could have ramifications on the U.S. political ecosystem.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.