Finding the malware needle in the DNS haystack

When it comes to malware, finding known threats is one thing. Pinpointing unknown threats is a whole different matter, like searching blind for a needle in a haystack.

It's an impossible task, maybe, until someone hands you a magnet.

HP, touting itself as the magnet-inventor, debuted a tool at its HP Protect event earlier this month aimed at better identifying new malware threats.

"HP's crack naming team" made the tool's functionality eminently clear, joked Mike Armistead, vice president and general manager of HP Enterprise Security Products, ArcSight.

"DNS. Malware. Analytics," Armistead said. "It uses analytics to find malware from the domain name server event stream."

HP's DNS Malware Analytics (DMA) processes the torrent of outbound DNS traffic an organization produces every day to identify those moments when newly-planted (or long-dormant) malware "calls home," Armistead explained.

It's a big job, and one the Homeland Security Department has been working toward for some time.

Einstein, the DHS security engine, has long relied on prior knowledge to spot threats: Threat signatures must be loaded into its system before it recognizes similar malware across federal networks.

Current DHS officials told FCW that the department is in the preliminary stages of testing and proving a DNS traffic monitoring solution within Einstein – but wants to take the time to make sure it gets it right.

Chris Cummiskey, DHS's acting undersecretary for management until this past November, noted that effective security requires a "whole stack of technology," and said that DHS has long wanted to add outbound DNS traffic monitoring to Einstein's capabilities.

"It certainly has to be a part of the equation," he said, noting that with the Office of Personnel Management breach, hackers were essentially "packing suitcases of data and moving it out for exfiltration over time." Perhaps outbound traffic monitoring, or better analysis of anomalous behaviors in OPM's systems, could have caught the intrusion earlier, he said.

HP, however, pledges that such improved analysis is already there.

"In all of the cases of breaches we see with the government, it's a new derivative, it's something new that was placed there that that [a malware detecting] client can't see," said Rob Roy, HP's federal CTO. "What can see it? The traffic that's going in and out."

When it comes to DNS traffic, Roy and others noted that 99 percent of it is benign and expected.

DMA exists to "hone in on the 1 percent of [DNS] traffic that is potentially bad and identify infected hosts," said Sue Barsamian, HP's security SVP.

"If I could show you where the needle was, you wouldn't need to look through the hay," Roy said, going back to the age-old analogy. "You're not picking [the haystack] apart by hand, but maybe using a magnet. That's the DNS Malware application."

Identifying, analyzing and quickly blocking outbound communication in the 1 percent of potentially malicious instances is key, as it could enable organizations to shut down previously unknown malware threats.

One of the biggest obstacles, of course, has been scale: Any sizable organization produces enormous amounts of DNS traffic. But HP, producer of 25 billion events per day on its own networks, said it's ready.

"We did it to ourselves and we have one of the largest networks on the planet," Roy said.

DMA became available Sept. 15, with commercial pricing starting at $80,000 annually to analyze up to 5 million DNS packets per day.

About the Author

Zach Noble is a staff writer covering digital citizen services, workforce issues and a range of civilian federal agencies.

Before joining FCW in 2015, Noble served as assistant editor at the viral news site TheBlaze, where he wrote a mix of business, political and breaking news stories and managed weekend news coverage. He has also written for online and print publications including The Washington Free Beacon, The Santa Barbara News-Press, The Federalist and Washington Technology.

Noble is a graduate of Saint Vincent College, where he studied English, economics and mathematics.

Click here for previous articles by Noble, or connect with him on Twitter: @thezachnoble.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.