Finding the malware needle in the DNS haystack

When it comes to malware, finding known threats is one thing. Pinpointing unknown threats is a whole different matter, like searching blind for a needle in a haystack.

It's an impossible task, maybe, until someone hands you a magnet.

HP, touting itself as the magnet-inventor, debuted a tool at its HP Protect event earlier this month aimed at better identifying new malware threats.

"HP's crack naming team" made the tool's functionality eminently clear, joked Mike Armistead, vice president and general manager of HP Enterprise Security Products, ArcSight.

"DNS. Malware. Analytics," Armistead said. "It uses analytics to find malware from the domain name server event stream."

HP's DNS Malware Analytics (DMA) processes the torrent of outbound DNS traffic an organization produces every day to identify those moments when newly-planted (or long-dormant) malware "calls home," Armistead explained.

It's a big job, and one the Homeland Security Department has been working toward for some time.

Einstein, the DHS security engine, has long relied on prior knowledge to spot threats: Threat signatures must be loaded into its system before it recognizes similar malware across federal networks.

Current DHS officials told FCW that the department is in the preliminary stages of testing and proving a DNS traffic monitoring solution within Einstein – but wants to take the time to make sure it gets it right.

Chris Cummiskey, DHS's acting undersecretary for management until this past November, noted that effective security requires a "whole stack of technology," and said that DHS has long wanted to add outbound DNS traffic monitoring to Einstein's capabilities.

"It certainly has to be a part of the equation," he said, noting that with the Office of Personnel Management breach, hackers were essentially "packing suitcases of data and moving it out for exfiltration over time." Perhaps outbound traffic monitoring, or better analysis of anomalous behaviors in OPM's systems, could have caught the intrusion earlier, he said.

HP, however, pledges that such improved analysis is already there.

"In all of the cases of breaches we see with the government, it's a new derivative, it's something new that was placed there that that [a malware detecting] client can't see," said Rob Roy, HP's federal CTO. "What can see it? The traffic that's going in and out."

When it comes to DNS traffic, Roy and others noted that 99 percent of it is benign and expected.

DMA exists to "hone in on the 1 percent of [DNS] traffic that is potentially bad and identify infected hosts," said Sue Barsamian, HP's security SVP.

"If I could show you where the needle was, you wouldn't need to look through the hay," Roy said, going back to the age-old analogy. "You're not picking [the haystack] apart by hand, but maybe using a magnet. That's the DNS Malware application."

Identifying, analyzing and quickly blocking outbound communication in the 1 percent of potentially malicious instances is key, as it could enable organizations to shut down previously unknown malware threats.

One of the biggest obstacles, of course, has been scale: Any sizable organization produces enormous amounts of DNS traffic. But HP, producer of 25 billion events per day on its own networks, said it's ready.

"We did it to ourselves and we have one of the largest networks on the planet," Roy said.

DMA became available Sept. 15, with commercial pricing starting at $80,000 annually to analyze up to 5 million DNS packets per day.