Posted December 14, 2015
By A.J. Shipley
A recent discovery by BugSec Group and Cynet (http://www.bugsec.com/news/firestorm/) identified a severe vulnerability in several next generation and application aware firewalls. The vulnerability, code named FireStorm, allows internal network hosts that have been infected with malware to “interact and extract data out of the organization, completely bypassing the firewall”.
As a strong advocate for multiple layers of security, including the use of firewalls and other network security appliances to protect an organization or ISP, the FireStorm vulnerability reminds us that even advanced next-gen firewalls (NGFW) cannot protect an organization from sophisticated threat actors 100% of the time. However, other security solutions that are beginning to emerge can prevent data exfiltration exploiting this type of vulnerability.
The FireStorm vulnerability works by “forging messages and tunneling them out to a command and control (C2) server during the TCP handshake process, bypassing the firewall to any destination on the Internet, regardless of firewall rules and client restrictions.” Because NGFW’s allow the TCP handshake to complete prior to enforcing policy, there is a window where information can be exfiltrated over that connection.
There is a way to close that dangerous gap. What if the compromised host was never allowed to contact the C2 server to begin with? Even better, what if the compromised host didn’t even know how to contact the C2 server? The infected host or malicious software would never have the opportunity to establish a connection that data could be exfiltrated over.
That is exactly how a DNS firewall, placed between an internal network host and the organizations recursive DNS server, protects an organization from malware, spear-phishing, and unauthorized data exfiltration. Almost all connections that occur over the Internet begin with a DNS resolution request by the client to retrieve the IP address of the server it is trying to reach. A DNS firewall, like LookingGlass DNS Defender® (https://www.lookingglasscyber.com/products/threat-mitigation/dns-defender/), intercepts the DNS resolution request from a compromised host asking for the C2 server’s IP address and either blocks the DNS request or redirects it to an internal sinkhole or other safe location. The infected host never receives the IP address required to contact the C2 server which means the TCP handshake never begins. The FireStorm vulnerability is mitigated through the use of a DNS firewall.
Furthermore, by integrating a DNS firewall, like DNS Defender, with machine readable threat intelligence (MRTI) like that delivered from LookingGlass ScoutVision (https://www.lookingglasscyber.com/products/threat-intelligence-management/scoutvision/) or Cyveillance Phishing & Malicious URL data feeds (https://www.cyveillance.com/home/security-solutions/data/), the DNS firewall is constantly kept up to date with the latest malicious domains and IP addresses of the advanced persistent threats (APTs) and botnet C2 servers controlling the infected hosts and malware resident on corporate networks.
The LookingGlass Dynamic Threat Defense 1.0 (https://www.lookingglasscyber.com/solutions/dynamic-threat-defense/) solution stops malware outbreaks, spear phishing attacks, and drive by downloads by combining machine readable threat intelligence (MRTI) from LookingGlass ScoutVision™ with LookingGlass DNS Defender®, a protocol-specific firewall, delivered as an integrated network security solution.
So far, nobody has been able to figure out a foolproof way to keep malware off of our devices and networks, but that doesn’t mean we should stop deploying anti-virus solutions. Similarly, NGFW’s and intrusion prevention systems (IPS/IDS) cannot protect an organization 100% of the time. In the case of FireStorm, a DNS firewall integrated with machine-readable threat intelligence closes the gap that exists in many organizations existing security posture. It also enhances the investments made in existing security solutions, like NGFW’s and IPS/IDS, by offloading them from malicious traffic freeing them up to focus their limited resources on the things they do best.