DNS is an integral part of how the internet works, as it allows users and hosts to engage more memorable DNS names rather than having to use a website’s IP address to access a website. Yet, security people seriously started looking at this component of the network as a legitimate part of the security ecosystem. The fact is that the main role of DNS provides it with individual visibility over any kind of network activity. This brings the quick detection of both suspicious clients and domains. Its weakness is caused by the Domain Name System’s architecture, open by design. Missing the opportunity of using your DNS to secure your network would therefore be a terrible mistake.
Quickly detect suspicious behaviors
The DNS plays a major role – when it is diverted from its primary function – at each compromising stage of an attack:
- The first thing is, it’s a useful scout tool for gaining visibility over an internal network through Zone transfer and DNS rebinding.
- It’s also known as being a powerful weapon for conducting Denial of Service attacks.
- Especially it is a practical solution in delivering a weaponized payload through Phishing, Domain Squatting or Domain Hijacking attacks (Cisco’s 2018 Annual Security Report states 60% of analyzed domains are associated with Phishing attacks).
- Regarding APT, it’s a critical component of most C&C platforms.
- Finally, it’s the most insidious option for exfiltrating data from a secured network.
A Verisign 2018 report about the global domain name system industry determines that currently, the Internet consists of over 350 million registered domain names. With 8 million new domains registered each year, its number is condemned to grow rapidly. Among this huge amount, most are authorized, a lot are compromised, and many are registered specifically for malicious purpose. Detecting those domains and associated traffic is a lot of work, it takes more time, effort and serious skills. Be wise enough in detecting malicious traffic by subscribing to threat intelligence.
Prevent data theft through DNS
Most of the organization is under constant surveillance by threat actors looking for gaps in your security posture. Among associated vectors, DNS is accepted as one of the most discrete options by cyber criminals. As DNS traffic is rare and difficult to analyze in real time with peripheral inspection solutions, most exfiltration attempts relying on DNS are successful.
The main issue is that standard security solutions such as next-gen firewalls and IPS have very little contribution over DNS traffic. Their clarity is limited on recursive queries (between the client and the resolver) or authoritative queries (between the resolver and the authoritative servers) they oversee. They do not analyze the DNS transaction that occurs deep down in the recursive DNS engine to get information on client’s behavior. As a result, they mainly focus on detecting the well known patterns and domains reported as malicious, once the sufficient data has been collected. Consequently, they are unable to ensure targeted exfiltration attempts.
Bringing holistic network security
There’s no uncertainty that DNS is a critical component of the global network security solution, for recognizing unusual or malicious activity, and informing the broader security ecosystem. It complements traditional DLP solutions to separate DNS being used as a back door for data theft, and contributes to indicators of compromise and fast remediation of infected devices by providing IP data – for help locate infected devices – to endpoint remediation solutions. All this growing network risks to be addressed, thus protecting against the lateral movement of threats and making DNS a key component for achieving holistic network security.