SANS Institute exposed today’s top five new types of cybersecurity attack techniques, three of which are DNS-based, and how to counter them. Here’s what they had to say, and how Infoblox can help.
RSA Conference 2019 has come to a close, and the world’s biggest cybersecurity event has left the thousands of attendees with many takeaways. One of the most significant takeaways came from the SANS Institute’s keynote reporting on the top five most dangerous new attacks and what to do about them. The keynote consisted of three experts from SANS Institute who shared their insights . DNS Security took center stage throughout the entire keynote, as three of the top five emerging threats discussed were DNS-based attacks
This blog summarizes the three DNS-based threats discussed in the keynote and provides further insights into the significance of how these threats impact organizations.
Today’s Top New DNS-Based Attacks as Advised by SANS Institute
DNS Infrastructure Manipulation, or DNSpionage
Ed Skoudis, SANS Faculty Fellow and Director of SANS Cyber Ranges and Team-Based Training, kicked off the keynote by diving right into DNS-based threats. SANS has seen DNS infrastructure manipulation, or DNSpionage, significantly impact organizations over the past several months.
Attackers are executing this sophisticated attack by hijacking and compromising millions of email and other credentials to log in as customers of DNS infrastructure providers and alter DNS records to point users to malicious web and mail servers. These DNS hijacks also allow attackers to have SSL encryption certificates issued for targeted domains, enabling them to decrypt intercepted email and web traffic and read it in plain text.
Skoudus then advised on the second most dangerous threat today, known as Domain Fronting, a surprisingly easy DNS-based attack to carry out. Domain Fronting is an undocumented feature of Content Delivery Networks (CDNs) and Cloud Service Providers that allows clients to proxy web traffic through them covertly. Attackers use this technique to circumvent Internet censorship by obfuscating the domain of an HTTPS connection. Attackers can then connect to cloud services that may otherwise be blocked via domain name, IP address or using deep packet inspection. Skoudus explains that it is very useful for attackers to hide command-and-control channels and exfiltrate compromised data, even from the cloud, and advises against believing that such an issue will go away anytime soon.
DNS over TLS (DoT) and DNS over HTTPS (DoH)
The third panelist, Johannas Ulrich, Dean of Research at SANS, spoke to the third of today’s most dangerous attack techniques that’s DNS-based. He spoke to security problems associated with DNS over TLS (DoT) and DNS over HTTPS (DoH). The story of DoT, DoH and the “last mile” DNS security problem arose in the news several months ago when the IETF proposed DoT and DoH as two mechanisms to address the issue of securing communications between DNS clients and their local DNS servers.
However, as Ulrich and Infoblox agree, both of these mechanisms can be used in ways that aren’t in the best interest of any organization from a cybersecurity perspective. Both DoT and DoH provide important functionality of communications between DNS clients and DNS servers, which are encrypted and provide data privacy and integrity, and DNS clients may authenticate DNS servers using either protocol.
DoH is meant as a “poor user’s VPN” to protect the “last mile” of security, and it should not be used on managed enterprise networks. Organizations will better benefit from blocking direct DNS traffic, including DoT and DoH, between internal IP addresses and DNS servers on the Internet, including those from Cloudflare. This simple solution forces users to use their company’s internal DNS infrastructure, which allows their IT teams to apply DNS resolution policy and troubleshoot problems.
What Enterprises Can Do to Migitage Risk from these Attacks
Infoblox is the leader in DNS Security and provides a comprehensive solution to keep enterprises free from the widest range of DNS-based cyberthreats.
Using signature-based approaches and integrity checks, Infoblox’s Advanced DNS Protection protects against DNS hijacking threats. This helps ensure that if DNS records are manipulated to point users to malicious web and mail servers, it will be detected, and admins will be notified. In addition, Advanced DNS Protection blocks DNS based DDoS attacks like amplification, reflection, NXDOMAIN, tunneling etc. to ensure that the DNS services are resilient and stay available even under attack.
Organizations can also keep their data safe and detect malicious activity early and fast using Infoblox ActiveTrust/ActiveTrust Cloud. But to do this, companies must force their users to use their company’s internal DNS infrastructure, and block direct DNS traffic. ActiveTrust/ActiveTrust Cloud provides foundational and scalable security using DNS as a first line of defense against known and zero day threats, including data exfiltration, DGA, Fast Flux and fileless malware.