DNS is the most ubiquitous protocol on the Internet and is deployed in literally every connection that takes place whether surfing a website, watching YouTube videos or accessing corporate cloud applications. This ubiquitous use of DNS means that it is also involved in some very undesirable connections to sites like malware sites, known bad sites, command and control centres etc. Other attacks have involved data exfiltration in packets disguised as DNS.
The fact that DNS is involved in around 92% of web attacks strongly suggests that it is an area that is worthy of further efforts in the fight against cyber-attacks. DNS is one of those protocols that just works in the background like a utility and as long as resolution is working then no one pays attention to it.
DNS is a lynch pin, if it doesn’t work then most applications will stop working and the IT services will grind to a halt. It is vital therefore that DNS gets more prominence and is monitored and secured to ensure continued running of services. It has a pivotal role in getting us connected to literally any service we need to access, whether via email, web or a bespoke application.
Here are some numbers though that tell us not only what’s happening but also some concerns that we need to have at the forefront of our minds:
Clearly, there is a wide range of threats that organisations need to address in crafting and implementing an effective approach to cyber security. One area that has and is receiving very little attention is the area of DNS.
DNS monitoring and the implementation of an active security policy that cannot be circumvented by staff can have untold security benefits. Such an approach could be used to block malware and phishing attacks in real time as opposed to after the event. Also, the use of DNS to resolve requests for known malware sites could also prevent attacks before they happen.
The DNS controls could hold a regularly updated list of known malware sites and block devices from accessing these sites. Active monitoring could also provide valuable information about whose machine has been compromised and where they are connecting from.
DNS monitoring can also provide a baseline of what normal behaviour looks like for your organisation. Anomalous behaviour is, therefore, easier to detect and acted on. A number of high profiles sites such as Tesla, that have been hacked could have been prevented if the DNS records were being monitored and these organisations were then able to detect and block changes to their DNS records.
Visibility of who is connecting to what site is also a great benefit of DNS monitoring. The explosive growth of IoT devices poses significant threats if they are not properly secured. DNS security could play a vital role by enforcing policy e.g. if the CCTV network should be blocked from Internet access, DNS security controls could prevent these devices being used as a backdoor that could be used for malware propagation or data exfiltration.
Failing to monitor and control DNS is a lost opportunity not only to secure your organisation’s network but also to gain visibility into who is doing what.
An important service in addition to the above is the ability to query domains and file hashes from a central intelligence platform that has up to the minute data on the bad domains so that your security incident response team has the ability to conduct intelligent investigations independently of any infections. For instance if you keep doing a DNS query for a site in Russia and you don’t have any business relationship in Russia, that’s something that you should query.
Adoption of cloud based technology and the proliferation of remote working is driving a new approach to security that needs to be omnipresent providing the highest practical levels of cyber security for the user, the network and the data.
The decentralised nature of organisations due to remote working and the increasing importance of branch offices is another security challenge organisations are facing. Mobile devices such as laptops are the primary devices where user changes could compromise security. Around 80% of remote workers disable their VPNs when they browse the web.
Therefore, a DNS based security mechanism can help to maintain the security posture where these remote workers able to still make use of this form of protection even when they disable their VPNs. DNS security can protect any device including IoT, guest devices and roaming clients.
Security analysts such as Gartner and IDC have a new security term that is relevant to this emerging security environment and have coined it the Security Internet Gateway. The principle function of the Secure Internet Gateway is to secure the cloud environment in the same way that we secure the on-premises environment.
Implementing a security platform in the cloud will break the limitations and constraints of centralised solutions. The security must be flexible in line with user access, virtualised to deliver security wherever it is needed and extend beyond just securing web protocols such as http and https.
Most security vendors now offer cloud based security solutions and in many instances what they have done is taken a conventional security component such as Anti-Virus or Web Proxy services and deployed it in the cloud. While this may be a good start, a range of other technologies need also to be included in the security stack deployed to protect users and data.
When users connect to the web they must immediately undergo inspection and policy enforcement to ensure their connection is being done in a secure manner. These may include but not limited to;
Clearly no single solution can provide all of these components, but a Secure Internet Gateway correctly specified could go a long way to providing many of these security measures. Secure DNS must be a major component of the functionality of Secure gateway because of its ability to stop a large swathe of attacks before they reach the user or the data.
An effective DNS security protection control can have the ability to identify the endpoints attempting the malware connection and therefore feed into the clean-up and mitigation plan.
Analysis has shown that most ransomware does a DNS call back, ransomware payment notification also uses DNS. The ability therefore to block a malware connection via DNS security at one or another step of the malware execution process can therefore prove to be the most effective way to implement malware protection.
DNS security can act as a form of perimeter security where the perimeter is pushed back to the source of the cyber threat. So the threat is initially blocked at the source or its point of origin. How this works is that the DNS points to a secure DNS service with up to date threat domain intelligence and machine learning that discovers and protects against emerging threats. Remember that 100% of organisations interact with known malware domains. Securing DNS will instantly block these connections as they are requested, as well as blocking future domains that have been identified as malware hosts.
Correct implementation of DNS security could make it the first line of defence even before a connection is established by checking the DNS request and blocking bad sites. This will help the IT teams by freeing them up from a large number of alerts that would be generated if the malware had been downloaded.
If a previously infected device connects to the network or service, secure DNS will block the command and control call back to the malware domain and notify the security team.
This level of security is highly scalable in that it can be provided for an individual roaming client, a branch site or the organisation’s principle location.
Another useful feature is the ability to track normal behaviour for your organisation in terms of the rate and volume of requests over time. Anomalous behaviour can then be detected by comparing significant changes in normal behaviour.
A secure DNS solution will also provide detailed information about the malware domain such as IP addresses, associated domains and attacks associated with these domains. A robust, secure DNS solution could also provide a data feed into other security components in the organisation, thus sharing security updates that can be actioned elsewhere in the security stack.