DNS Security – The Forgotten Lynchpin

Share

 

So it’s all happening in the cloud. Wholesale adoption of cloud services is now a business imperative as the opportunities and benefits of SaaS become ever clearer.

Here are some numbers though that tell us not only what’s happening but also some concerns that we need to have at the forefront of our minds.

  • 82% of mobile workers admit they always turn off their VPN
  • 15% of command and control threats evades web security
  • 60% of attackers penetrate an organisation in minutes and steal data in hours
  • 100 days is the average detection time for an attack
  • 100% of networks interact with malware sites
  • 92% of attacks make use of DNS

Clearly, there is a wide range of threats that organisations need to address in crafting and implementing an effective approach to cyber security. One area that has and is receiving very little attention is the area of DNS.

DNS is the most ubiquitous protocol on the Internet and is deployed in literally every connection that takes place whether surfing a website, watching youtube videos or accessing corporate cloud applications. This ubiquitous use of DNS means that it is also involved in some very undesirable connections to sites like malware sites, known bad sites, command and control centres etc. Other attacks have involved data exfiltration in packets disguised as DNS.

The fact that DNS is involved in around 92% of web attacks strongly suggests that it is an area that is worthy of further efforts in the fight against cyber attacks. DNS is one of those protocols that just works in the background like a utility and as long as resolution is working then no one pays attention to it. DNS is a lynch pin, if it doesn’t work then most applications will stop working and the IT services will grind to a halt. It is vital therefore that DNS gets more prominence and is monitored and secured to ensure continued running of services.

 

Tackling DNS Security 

DNS should be elevated from a connectivity item to a network security component vital to the operation of the organisations IT. DNS monitoring and the implementation of an active security policy that cannot be circumvented by staff can have untold security benefits. Such an approach could be used to block malware and phishing attacks in real time as opposed to after the event. Also, the use of DNS to resolve requests for known malware sites could also prevent attacks before they happen. The DNS controls could hold a regularly updated list of known malware sites and block devices from accessing these sites. Active monitoring could also provide valuable information about whose machine has been compromised and where they are connecting from.

DNS monitoring can also provide a baseline of what normal behaviour looks like for your organisation. Anomalous behaviour is, therefore, easier to detect and acted on. A number of high profiles sites such as Tesla, that have been hacked could have been prevented if the DNS records were being monitored and these organisations were then able to detect and block changes to their DNS records.

Visibility of who is connecting to what site is also a great benefit of DNS monitoring. The explosive growth of IoT devices poses significant threats if they are not properly secured. DNS security could play a vital role by enforcing policy e.g. if the CCTV network should be blocked from Internet access, DNS security controls could prevent these devices being used as a backdoor that could be used for malware propagation or data exfiltration.

Failing to monitor and control DNS is a lost opportunity not only to secure your organisation’s network but also to gain visibility into who is doing what.