Why it is important to protect the DNS layer to combat cybercrime

For the past few years, Domain name system (DNS) attacks have emerged as one of the most common and dangerous cyber security threats facing businesses. Research conducted by EfficIP Performances 79% of companies were affected by the DNS attack last year, thus costing them an average of $ 924,000 (2,000 782,000).

As businesses continue to digitally transform and the interconnected ecosystem on which they depend expands, these attacks will become more frequent and more vulnerable. So it is very important for companies to take action Protect the DNS layer. Doing so will help identify, mitigate, and prevent cyber attacks. But where do they start?

Experts fear that despite the rising number of DNS attacks, many companies have ignored this and failed to take appropriate measures to protect themselves. Jack Moore, security expert ESET, Says: “DNS based cyber attacks are very common, but despite this, DNS gateways Are often left unprotected. The DNS layer of the network is always running, so often overlooked.

“To make matters worse, some security executives leave some DNS traffic with a white flag, leaving the door open for malicious actors to walk straight unnoticed.”

As cybercriminals launch more sophisticated DNS attacks, badly armed businesses suffer a major setback and struggle to respond effectively when targeted. “When attackers develop their own tactics, businesses fail to fully understand the risks, and lack of awareness does not prioritize DNS security,” Moore says. “DNS is important for business and service continuity, which naturally targets threatening actors.

“Furthermore, when a business’s DNS gateway is attacked, companies will not be able to shut down entire businesses as a result of inactivity, thus losing even more money. If the DNS is not submerged in water, a DTOS can be installed [distributed denial of service], Companies will do their best to keep the business as usual. ”

But what should companies do to prevent and mitigate these attacks? Moore says analyzing each user’s behavior can provide a good representation of what’s happening and help businesses identify threats, as most network traffic goes through DNS. “Such threats need to be closely monitored, which could lead to a successful zero-confidence strategy,” he says.

Great effects

When left unsecured, DNS servers can have devastating consequences for businesses that fall victim to the attack. Terry Bishop, Solutions Architect Risk, Says: “Malicious actors constantly tend to use weak links in target settings. Vulnerable DNS server Considering the different directions that can be compromised once, it will definitely be considered a high value goal.

“At RiskIQ, most companies are unaware of about 30% of their external facing assets. It could be websites, mail servers, remote gateways and more. If any of these systems are not integrated, monitored or managed, it provides an opportunity for compromise and further exploitation, whether towards the assets of the company or other valuable infrastructure DNS servers Depending on the attacker’s motives and the specifics of the violated environment. ”

Kevin Curran, Senior Member Institute of Electrical and Electronics Engineers (IEEE) and Professor of Internet Security University of Ulster, Agrees that DNS attacks are highly destructive. In fact, he claims that improperly functioning DNS layer will effectively break the Internet.

If the domain name system fails, All the website names that people type fail to change to their exact IP address – this is the only way the Internet can actually guide our requests – and we do not have a functioning Internet, ”says Curran. “Of course, if people find it hard to remember IP address Of a site, they can type instead, but it is not a realistic view. “

However, there are different protocols that can help mitigate DNS security risks, he says. “Two major updates to the DNS [DoT] And DNS via HTTPS [DoH]. Both of these standards encrypt plain text DNS traffic to prevent malicious parties, advertisers, and ISPs from intercepting data. ”

Quran adds: “DoT uses the same security protocol HTTPS Used to encrypt and authenticate websites. It adds TLS encryption User Datagram Protocol [UDP]This ensures that DNS requests and responses are not modified or generated by track attacks. DoH uses encryption again, but DNS messages are sent using HTTP or HTTP / 2 protocols. DoH traffic is similar to normal HTTPS traffic when examined by a pocket analyzer. ”

However, Curran says there is debate about the best method. “Some argue that DOT is better from a network security standpoint because network administrators can monitor and prevent DNS queries such as malicious traffic,” he says. However, DoH queries are hidden in regular HTTPS traffic, so you can’t easily block them without blocking other HTTPS traffic. DoH offers more privacy. However, this is important for many people as DNS queries are hidden within HDTPS traffic. ”

Preparing for DNS attacks

When detecting and mitigating cyber attacks, the DNS layer provides a great deal of insight. Mark Fieldhouse, General Manager, Europe, Middle East and Africa (EMEA) NS1, Says: “Integrating DNS with monitoring and reporting systems provides transparency in utility and network traffic so that companies can easily observe DNS configuration changes and modes of traffic patterns, revealing key indicators of compromise. DNS can also provide net fencing to prevent sites from receiving traffic from suspicious countries, regions or domains.

“Upgrading an ever-running, redundant DNS network ensures flexibility and reduces the impact of attacks by shifting traffic around compromised resources to prevent idle time. Enables DNSSEC DNS protects their integrity by digitally signing and verifying records, which ensures that users do not receive fake information paid for by attackers. ”

Fieldhouse DNS DHCP And IP Address Management (DTI) is critical to the zero trust approach. “DNS can guide traffic unhindered and, depending on specific criteria, protect the company’s data from threats,” he says. “DTI solutions integrate with most applications that companies use to operate, which ensures consistent control.

“External DNS requires security just like internal network”

Mark Fieldhouse, NS1

“While there are zero trust security guards against internal data breaches, DNS attacks are destructive, so it is important to note that security is just as important as an external DNS internal network.”

Vice President of Defense Research Venu Visamsetti Attivo Networks, Suggests a layered security approach that includes DNS tracking and filtering, endpoint protection, endpoint data concealment and access controls. He says it can be very effective in combating ransomware attacks.

After the initial infection, the ransomware launches DNS searches to communicate with C&C [command and control] Download more payloads, ”says Visamsetti. “DNS filtering and blocking may stop ransomware attacks at an early payload stage. Targeted attacks can avoid DNS filtering, so it is recommended to have zero confidence data access restrictions to prevent and minimize the impact of ransomware. ”

New techniques are being developed by DNS

Government digital security expert Steve Forbes says businesses can use DNS as an excellent cyber security tool as digital transformation increases. Nominee, Who says that every communication between a company’s network and the wider world is logged into DNS traffic.

“This means that if the attacker gains access, the connection between the malware and the command and control center, for example, is likely to be in that DNS traffic,” Forbes says. “With advances in AI [artificial intelligence] And machine learning – it can detect patterns in source, target and characteristics Network traffic – It has become easier to detect this malicious traffic at an earlier stage than before.

“It gives security teams time to deal effectively with any attack by giving them early warning indicators, reducing the time it takes to fix a threat.”

Forbes says the use of new techniques for DNS can help businesses identify normal behaviors in a network and unusual or suspicious behavior that could indicate a cyber attack.

“Companies can use information from their DNS servers to detect new attacks”

John Graham-Cumming, Cloudflare

“This leads to preventing malicious actors from accessing and highlighting the internal threat, while at the same time reducing the number of false positives and workloads that security workers process,” he says. “Finally, because DNS covers the entire network of companies, it scales well and will protect you as digital transformation expands the surface area of ​​your attack.”

John Graham-Cumming, C.D.O. Cloudflare, Says there are many things businesses can do when it comes to DNS-based security. “First, you need to protect the DNS infrastructure from basic attacks like DTOS, which can be used against anything on the Internet,” he says. “Then you need to make sure that the DNS servers are up to date, just like any other software. Because these are in place, companies can use the information from their DNS servers to detect new attacks.

By providing corporate DNS recording data as an analytics tool, it is possible to detect abnormal behaviors that indicate malware from a corporate device. By providing the DNS server that every corporate device uses, at the DNS level, a user or machine can control the Internet resources that are accessible and prevent well-known malware or phishing. ”

DNS security is often overlooked by companies, but with more and more cyber attacks targeting businesses, this is a very important area. Protecting the DNS layer not only protects it, but also allows businesses to detect and fight cyber attacks before committing serious damage.

Leave a Reply