Finding the malware needle in the DNS haystack

When it comes to malware, finding known threats is one thing. Pinpointing unknown threats is a whole different matter, like searching blind for a needle in a haystack.

It's an impossible task, maybe, until someone hands you a magnet.

HP, touting itself as the magnet-inventor, debuted a tool at its HP Protect event earlier this month aimed at better identifying new malware threats.

"HP's crack naming team" made the tool's functionality eminently clear, joked Mike Armistead, vice president and general manager of HP Enterprise Security Products, ArcSight.

"DNS. Malware. Analytics," Armistead said. "It uses analytics to find malware from the domain name server event stream."

HP's DNS Malware Analytics (DMA) processes the torrent of outbound DNS traffic an organization produces every day to identify those moments when newly-planted (or long-dormant) malware "calls home," Armistead explained.

It's a big job, and one the Homeland Security Department has been working toward for some time.

Einstein, the DHS security engine, has long relied on prior knowledge to spot threats: Threat signatures must be loaded into its system before it recognizes similar malware across federal networks.

Current DHS officials told FCW that the department is in the preliminary stages of testing and proving a DNS traffic monitoring solution within Einstein – but wants to take the time to make sure it gets it right.

Chris Cummiskey, DHS's acting undersecretary for management until this past November, noted that effective security requires a "whole stack of technology," and said that DHS has long wanted to add outbound DNS traffic monitoring to Einstein's capabilities.

"It certainly has to be a part of the equation," he said, noting that with the Office of Personnel Management breach, hackers were essentially "packing suitcases of data and moving it out for exfiltration over time." Perhaps outbound traffic monitoring, or better analysis of anomalous behaviors in OPM's systems, could have caught the intrusion earlier, he said.

HP, however, pledges that such improved analysis is already there.

"In all of the cases of breaches we see with the government, it's a new derivative, it's something new that was placed there that that [a malware detecting] client can't see," said Rob Roy, HP's federal CTO. "What can see it? The traffic that's going in and out."

When it comes to DNS traffic, Roy and others noted that 99 percent of it is benign and expected.

DMA exists to "hone in on the 1 percent of [DNS] traffic that is potentially bad and identify infected hosts," said Sue Barsamian, HP's security SVP.

"If I could show you where the needle was, you wouldn't need to look through the hay," Roy said, going back to the age-old analogy. "You're not picking [the haystack] apart by hand, but maybe using a magnet. That's the DNS Malware application."

Identifying, analyzing and quickly blocking outbound communication in the 1 percent of potentially malicious instances is key, as it could enable organizations to shut down previously unknown malware threats.

One of the biggest obstacles, of course, has been scale: Any sizable organization produces enormous amounts of DNS traffic. But HP, producer of 25 billion events per day on its own networks, said it's ready.

"We did it to ourselves and we have one of the largest networks on the planet," Roy said.

DMA became available Sept. 15, with commercial pricing starting at $80,000 annually to analyze up to 5 million DNS packets per day.

About the Author

Zach Noble is a staff writer covering digital citizen services, workforce issues and a range of civilian federal agencies.

Before joining FCW in 2015, Noble served as assistant editor at the viral news site TheBlaze, where he wrote a mix of business, political and breaking news stories and managed weekend news coverage. He has also written for online and print publications including The Washington Free Beacon, The Santa Barbara News-Press, The Federalist and Washington Technology.

Noble is a graduate of Saint Vincent College, where he studied English, economics and mathematics.

Click here for previous articles by Noble, or connect with him on Twitter: @thezachnoble.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.