The Truth Behind DNS-Based AttacksJuly 19, 2016 No Comments
Featured article by Craig Sanderson, Senior Director of Security Products, Infoblox
Fifty years ago, locking the front door was all we needed to feel safe and protected. We’ve come a long way since then. Nowadays, we live digital and connected lives that unfortunately expose us to new threats on a daily basis. No matter how much we try to protect our home from intruders, cyber criminals already live within our walls when we connect to the internet.
Similarly, enterprise IT networks have evolved to a point where the level of interconnectivity and interaction with the outside world has caused basic network defense systems, focused on blocking outside threats, to become all but obsolete. One reason is that Domain Name System (DNS) activity has become a significant source of malicious activity on IT networks. DNS threats from botnets to DNS tunneling highlight the porous nature of modern IT networks, with the risk of security threats existing throughout every transaction, every email, down to nearly every click.
In fact, a recent study found that four out of five enterprise networks showed evidence of malware activity being carried out by abusing DNS traffic. In the first quarter of 2016, Infoblox received 519 files capturing recent DNS traffic from 235 customers across a wide range of industries and geographies. The files were then run through security assessments to look for suspicious activity. The results found that 83 percent of all files uploaded showed evidence of suspicious activity, including botnets (54 %), protocol anomalies (54%), DNS tunneling (18%), ZeuS malware (17%), and distributed denial of service (DDoS) traffic (15%).
With DNS-based attacks continuing to be an attractive channel for hackers, it is clear that IT organizations need to give DNS security the attention it deserves. To mitigate DNS-based attacks, organizations can do the following:
- Communication Comes First – Meet with your IT teams to determine who in your organization is responsible for DNS security. Discuss the different systems, tools and processes already in place to monitor and mitigate DNS attacks. For instance, would you know if an attack was happening? And what the best way is to stop it? Finally, it’s time to put words into action and build a DNS-based security infrastructure that can stand up to today’s extreme threat levels.
- Harden Your Infrastructure – Behind every DNS infrastructure should be a dedicated DNS appliance that minimizes attack surfaces with no extra or unused ports open to access the servers, no root login access with the OS, and role-based access to maintain overall control. The appliance should also feature two-factor authentication for login access, web access using HTTPS for encryption, and SSL encryption for appliance interaction through APIs.
- Integrate and Consolidate – Many organizations implement security technologies from a variety of vendors while also gathering threat intelligence from multiple sources. This creates confusion and causes inefficiencies in processes and security protocols. To fix this problem and eliminate the DNS blind spot, organizations can implement a platform that delivers security from the core of their network. This would bring together threat intelligence, remove security silos, and help organizations manage risk.
- Guard Against External Attacks – Look for a solution that provides built-in, intelligent attack protection that keeps track of the source IPs of DNS requests. It should drop excessive DNS DDoS requests from the same IP, saving resources to respond to legitimate requests. It should also actively monitor the latest DNS based vulnerabilities and ensure that the solution provides protection against attacks.
- Don’t Forget the Firewalls – To protect against APTs, malware, and data exfiltration, consider a DNS firewall. A DNS firewall protects against these kinds of threats by enforcing response policies on traffic from infected endpoints to suspicious domains; leveraging an automated, customizable threat update service; and delivering insightful reporting on malicious DNS queries, including threat severity and impact and the location of infected devices.
The pervasive interconnectivity of networks has blurred the lines of defense. It’s no longer a matter of keeping the bad guys out. With the prevalence of today’s threats, chances are, they are already in. Security professionals have been warning us for some time that a perimeter defense is no longer sufficient because almost all large enterprise networks have been compromised in some way. What we need to do now is find and remediate threats inside the network before they cause significant damage.