This blog is the final of four episodes which help describe best practices for utilizing DNS to protect your overall network.
The DNS is the very core of the Internet, it has been routing traffic from client devices to applicative endpoints over the IP network for decades. Yet, it’s only recently that security people seriously started looking at this component of the network as a legitimate part of the security ecosystem. For what could have been obvious, the fact is that the main role of DNS provides it with a unique visibility over any kind of network activity. This allows the quick detection of both suspicious clients and domains. But the Domain Name System’s architecture, open by design, can also cause it to be a weakness. Many internal DNS servers are an open door to the Internet, without anybody knowing it. Missing the opportunity of leveraging your DNS to secure your network would therefore be a terrible mistake.
Quickly detect suspicious behaviors
The DNS plays a key role in the kill chain – when it is diverted from its primary function – at each compromising stage of an attack:
- Firstly, it’s a useful scout tool for gaining visibility over an internal network through Zone transfer and DNS rebinding.
- It’s also known as being a powerful weapon for conducting Denial of Service attacks.
- Often, it’s an especially practical solution for delivering a weaponized payload through Phishing, Domain Squatting or Domain Hijacking attacks (Cisco’s 2018 Annual Security Report states 60% of analyzed domains are associated with Phishing attacks).
- Regarding APT, it’s critical component of most C&C platforms (according to Cisco’s 2016 Annual Security Report, 91.6% of malware are relying on DNS).
- Finally, it’s the most insidious option for exfiltrating data from a secured network.
Because of this major role in the attack schema, it appears crucial to implement an efficient DNS analytics solution as part of the essential tooling of any SOC. However, analyzing DNS queries is challenging because of the vast amount of registered domains.
A Verisign 2018 report about the global domain name system industry states that the Internet currently consists of over 350 million registered domain names. A number condemned to grow rapidly, with about 8 million new domains registered each year. Among this huge amount, most are legitimate, a lot are compromised, and many are registered specifically for malicious purpose. Detecting those domains and associated traffic is a lot of work, it requires much time, effort and serious skills. So it would be wise to consider subscribing to threat intelligence to maximize your chances of detecting malicious traffic. Integrating the provided information feed with secure DNS engines, will feed your SIEM with invaluable security events.
Prevent data theft through DNS
Data theft can be extremely difficult to detect, meaning incidents only become noticed long after the exfiltration has already been achieved. Among associated vectors, DNS is recognized as one of the most discrete options by cyber criminals. As DNS traffic is rarely analyzed (only 32% of companies do so, per Cisco 2016 Security Report) and difficult to analyze in real time with peripheral inspection solutions, most exfiltration attempts relying on DNS are successful.
The main issue is that standard security solutions such as next-gen firewalls and IPS have very little insight over DNS traffic. Their visibility is limited on recursive queries (between the client and the resolver) or authoritative queries (between the resolver and the authoritative servers) they oversee. They do not analyze the DNS transaction that occurs deep down in the recursive DNS engine, making it impossible for them to understand a query’s context or to identify a client’s behavior. As a result, they focus on detecting known patterns and domains reported as malicious once sufficient data has been collected. Consequently, they are unable to prevent targeted exfiltration attempts.
To identify and mitigate data-theft, real-time DNS analytics is needed. That requires DNS Transaction Inspection (DTI) capability which provides behavioral threat detection in the context of each user. Adaptive countermeasures can then be applied to avoid blocking legitimate user activities, while immediately preventing any data to go through the boundaries of the company’s network.
Ability to initiate fast mitigation makes DNS an important part of the security ecosystem
DNS security components must participate to the overall network security framework by preventing connected devices from reaching malicious domains and related internet resources. Meanwhile, advanced DNS analytics have to run in real-time, on specialized DNS security components, to prevent any exfiltration attempt and help you build your own threat intelligence knowledge base. Events resulting from the overall analysis of DNS transactions, put together with external threat intelligence over domain reputation, should be used to supplement traditional logs, allowing the SIEM to contextualize the threat by knowing: a) why the request was identified as malicious (e.g. phishing), and b) who initiated it. Only then will you be able to trigger the appropriate response across the network.
Bringing holistic network security
There’s no doubt that DNS is a critical component of the global network security solution, for recognizing unusual or malicious activity, and informing the broader security ecosystem. It complements traditional DLP solutions to avoid DNS being used as a back door for data theft, and contributes to indicators of compromise and fast remediation of infected devices by providing IP data – for helping locate infected devices – to endpoint remediation solutions or NACs such as Cisco ISE. All this allows growing network risks to be addressed, thus protecting against the lateral movement of threats and making DNS a key component for achieving holistic network security.
Want to learn more DNS security best practices?
Download the white paper here.