It's time to think inside the box

Chris Marrison considers the importance of looking at security threats already inside the network - rather than just what's trying to get in.

Chris Marrison, consulting solutions architect, Infoblox
Chris Marrison, consulting solutions architect, Infoblox

The Domain Name System (DNS), otherwise known as the address book of the internet, is a mission-critical part of infrastructure for all organisations and one which they cannot function without.

Undisputedly important, inherently vulnerable, and by and large inadequately protected by traditional cyber security solutions, DNS has become an attack vector of choice for many cyber-criminals.

When critical DNS services are compromised, organisations face potentially catastrophic system and network failure. The most common attacks – such as DNS-based Distributed Denial of Service (DDoS) attacks – target external DNS servers  which are internet facing such as hosted websites, applications and email clients.

But once again, our mum's old mantra is right (though perhaps without knowing it in this case): It's really not just what's on the outside that counts!

Threats to DNS won't always come from outside an organisation's firewalls. Increasingly, cyber-criminals are manoeuvring around these external defences and launching targeted attacks from within, presenting risks to both an organisation's data and infrastructure.

A targeted attack, advanced persistent threat (APT) or an endpoint infected with malware, for example, could exploit DNS to communicate with command-and-control (C&C) servers. Or the threat may even come from within the organisation, with a malicious insider embedding data in DNS queries using DNS tunnelling techniques to steal sensitive information.

Insider threat                                                                                                                    

For a truly robust and comprehensive security posture, organisations must take steps to protect DNS from both external and internal threats. Don't be lulled into a false sense of security by your traditional security's external protections. Internal infrastructure attacks can lead to business downtime, lower productivity and increased operational expenses.

DDoS attacks on internal DNS are currently on the rise, and like their external counterparts, these flood the servers, significantly diminishing their performance potentially to the point of failure. One recent DDoS attack on a large computer storage company's internal DNS resulted in its full outage and its employees being sent home for four hours.

Attacks on internal DNS may also be stealthier and more sophisticated, exhausting resources on recursive servers – the part which provides the necessary information to web clients. From a simple NXDOMAIN attack to a sophisticated DDoS attack coupled with botnets, chain reactions and misbehaving domains, attackers are using advanced techniques to bring down internal DNS through resource exhaustion, cache saturation and outbound bandwidth congestion. These types of attacks are also frequently becoming a smokescreen for the real malicious activity.

Stop just thinking about what's going on outside the box

Whilst inherently vulnerable, DNS's unique position within the network means that it can also be employed as the enforcement point for protection against and in response to attacks.

Effective internal DNS security solutions will not only help prevent malware and APTs from exploiting DNS, stop the exfiltration of data though this vector, and protect it from aggressive attacks, but it will do so without needing to change the organisation's network architecture.

With an up-to-date threat intelligence feed of known malicious destinations, an internal DNS security solution can continuously monitor for, detect and drop DNS attacks, whether it be DNS DDoS, cache poisoning or DNS tunnelling.

For example, employing DNS response policy zones (RPZs) on internal DNS to run in conjunction with threat intelligence will allow a DNS appliance to intercept DNS queries associated with known APTs and malware. This effectively chokes the threat by disrupting communication with external C&C servers and botnets.

An internal solution should also detect and prevent the exfiltration of sensitive data via DNS tunnelling. By establishing query thresholds, any large UDP/TCP queries and responses, especially when repeated in a specific timeframe, will be detected by the solution, hampering DNS tunnelling attempts.

It will then also cut connection with any C&C servers, fracturing their ability to exfiltrate data by standard network protocols and reducing infections and preventing malware from breeding inside the network.

DNS is too critical a piece of network architecture to be left vulnerable. Coupled with the fact that it has been inadequately protected in the past, it is unsurprising that it has become a highly popular target for attacks.

Organisations must look inside the box and start defending their DNS from both internal and external threats. By claiming back control of their DNS, companies can convert it from a vulnerability into a great security strength.

Contributed by Chris Marrison, consulting solutions architect, Infoblox.