During my hour long commute this morning into work, I was listening to a news story regarding the archaic South Korean belief that North Korean's have horns. While this is not something most adults believe, I found one guest speaker's account compelling, in that he believed all the way until his high school years that North Korean people had horns on their head. This made me think about the way information is provided in today's day-and-age. Years of misinformation and censorship can lead people to believe something as ridiculous as a race of horned people. So I began to think of Domain Fronting and how it can be used to bypass the virtual locks on our information.
So, onto the good technical stuff. What is Domain Fronting? It is a technique in which a user utilizes a proxy server, where a redirection occurs, to bypass firewall and filtering limitations to ultimately gain access to the blocked resource.
Typically when you request a website, your Internet traffic travels through your ISP and then to your intended destination. Your computer must first receive the resolved IP address from a DNS server before it can reach out to your intended destination, and it does this through a third party or your ISP. In the case where your ISP does decide to block your traffic, your progress is halted and you will not make it to the intended destination. With domain fronting, you submit an https request to a self-owned proxy server hosted within a common domain like Google or Amazon. Since the Censor cannot realistically block your traffic to the domain without causing mass collateral damage to business and the economy, the traffic will flow without hindrance.
A Domain Fronted web request involves an HTTPS request with an allowed domain name in the request header that will resolve. The actual URL requested is contained in the HTTP body which is encrypted until it reaches its destination. Once the request hits the redirection server, it is forwarded to the real destination and then returned via HTTPS.
In the realm of cyber security, hackers use this technique to capture data from an individual's computer to send back to their own data repository. They can set up specific "hidden" datastores in areas of the "Darkweb" that are only available through encrypted connections like the TOR-connected network. Then, through system level commands, they gather information on the user's computer and communicate it back via Domain Fronted to their TOR-connected datastore. The Russian-based APT29 hackers (Cozy Bear) used this technique to set up a data tunnel between the attacked computer and their own, sending requests for information to the attacked computer that appeared to come from legitimate traffic sources.
During the most recent US Election, APT29 and APT28 (CozyBear and FancyBear) both utilized sophisticated hacking campaigns consisting of Spear Phishing, device exploits, and domain fronted networks to hack the DNC and gather a ton of sensitive data to include: schedules, phone numbers, emails and organizational secrets. This breach was severely devastating to the DNC's campaign, imagine the cost a similar hack would have on your business.
Ultimately there is a good and a bad side to everything, and this is no different. While liberating for some, it also provides a clear path for exploitation for those individuals who want to utilize the anonymity it provides to harm others. Tor, Lantern and Psiphon circumvention systems are extremely popular, and their transports now connect thousands of users daily transferring many terabytes of data per month. It is also important to note that this process does not stop the Information Security Manager from noticing the "odd behavior" of his computer/server/personnel and implementing proper safeguards and response measures to help prevent or eliminate this from occurring. Often sophisticated hacking events like this occur with a lapse in security at the personnel level with social engineering campaigns like spear phishing. A solid physical defense established by a well-trained organization will help mitigate the risk your business may have when targeted by hackers with malevolent intent.
keywords: cyber awareness training, cyber security awareness, security training, offensive security, human firewall