The domain name system, or DNS, is a mission-critical tier one asset sitting in the core of all organisations, and without which IT networks and services are unable to function. The address book of the internet, DNS lies at the heart of every organisation's IT network, translating domain names into numerical machine-readable Internet Protocol (IP) addresses.
Invented more than 30 years ago, DNS has continually evolved to become a core component of today's internet which, unfortunately, has resulted in it becoming one of the most attractive attack vectors for hackers and cyber-criminals seeking to wreak havoc across an organisation's IT infrastructure. By way of illustration, more than three quarters of businesses recently reported two or more different types of threats to their data over the past 12 months, with DNS-based attacks such as ransomware, DDoS and data exfiltration among the most common.
However, DNS can fit into and compliment an organisation's cyber security strategy in a number of different ways.
Enhancing controls and DDoS defence
For one, DNS can enhance the capabilities of other security controls. Should an indicator of compromise be identified by a DNS firewall, for example, then not only can it be blocked, but an alert can be sent to the organisation's vulnerability scanner, enabling it to scan that particular endpoint at the moment the traffic in question occurred.
Likewise, an alert can be sent from an organisation's DNS platform to its SIEM and another to its network access control (NAC) provider who can then immediately quarantine the device in question. Such closed-loop automation is a safe and positive step for most businesses, particularly when there are more events coming into SIEMs and threat intelligence platforms than they're able to cope with.
While DNS won't – and shouldn't – be the only part of an organisation's strategy for mitigating DDoS attacks, it is important that a public-facing DNS platform has the ability to defend itself. To avoid them being overloaded and overburdened by the noise of a DDoS attack, they should have the ability to distinguish between good and bad traffic.
In a reflection attack, for example, the traffic out can be larger in terms of bandwidth than the traffic in. If the DNS server tries to respond to the influx of DDoS queries during such an attack, it can often just exacerbate the problem. We need to make sure the DNS platform is intelligent enough to observe this situation and drop the bad traffic.
Exfiltration and NODs
DNS is often used for data exfiltration. With the EU GDPR due to come into force in May, bringing with it potential fines of up to €20 million, protecting data privacy has probably never been higher on a CIO's agenda.
One of the most basic ways of getting around security defences and leaking data out of an organisation is to simply take a malicious domain and send DNS queries in plain sight. Sometimes, however, something this basic can be easy to miss; so much time is spent looking for large, complex chains encoded in DNS packets, more simple attempts just slip through.
It's important therefore, that organisations use all of the detection methods available to them– signature, reputation and behaviour – to make sure they're picking up even the most basic of exfiltration attempts.
Finally, DNS can enable an organisation to be pro-active with its security stance, using newly observed domains (NODs) to allow them to get ahead of the problem. After all, a domain must be created before it can be weaponised. NODs can be brought into existing security controls such as IDS or firewalls, or into DNS servers as part of a DNS firewall feed. An organisation can then block a phishing domain before its campaign starts, for example, or prevent communication to C2C domains before they become widely known.
DNS is inherently vulnerable. However, when correctly implemented with hardened appliances, securely managed, it can also be an organisation's best weapon in securing its networks. Detecting malware, helping to prevent and disrupt command and control communication, ransomware and phishing attacks, or being part of a data loss prevention programme – DNS can help with all of this and more, and should be fully leveraged as part of an organisation's security controls and processes.
Contributed by Gary Cox, technology director, Western Europe, Infoblox
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.