The DNS layer is one of the least secure aspects of many networks. i.e. DNS packets are rarely inspected by security protocols and easily passed through unblocked ports.

How ransomware does it in a span of a few hours: 

• A client navigates to a site and accidentally downloads a weaponized file; all seemingly invisibly done.
• The file launches an event establishing an exploitation framework on the affected network.  The malicious software moves laterally to other computers in the network.
• It encrypted all business-critical data but not before it transported these files back to the attacker network using DNS tunnels. Data then is used for leverage or sold on the black net.

Signs of attacks:

• Newly seen domains popped in your network
• Newly staged infrastructures
• Domain co-occurences
• Algorithm-generated domains
• Flag down any anomalous DNS tunneling

Known DNS layer threats:

– Emotet, a trojan/loader leveraged in Conti Ransomware

– RedLine Stealer

– MITRE ATT&ACT for MAGNAT backdoor

Prevention:

• Configure your DNS resolver to flag down the as of a domain (allow 24-hours vesting before the users can connect)

Proactive measures:

• Constant monitoring and filtering of your service level data with an established baseline to detect signs of attacks.
• Established policies to restrict data movement pending the period of vesting.